none
Logon types in Windows Server RRS feed

  • General discussion

  • Logon types in Windows Server

    Here’s a list of the logon types you may find in Windows’ security event log when auditing:

    1 – Interactive

    Console Logons basically. 

    2– Network

    This logon happens when you’re accessing file shares using SMB for example.

    3– Batch

    This is used for scheduled tasks.

    4– Service

    This is used for services and service accounts that log on to start a service.

    5– Unlock

    This is used whenever a user unlocks their machine.

    6– Network Cleartext

    This is used when logging on over the network - when the password is sent in clear text (should happen to you!)

    7– New Credentials

    This is used when you run an application using the RunAs command.

    8– Remote Interactive

    This is used for the RDP applications like Terminal Services or Remote Assistance.

    9– Cached Interactive

    This is logged when users log on using cached credentials.


    Network is my LOVE
    Sunday, December 27, 2009 9:31 AM

All replies

  • Not a question. Suggest closing.
    Tuesday, January 17, 2012 7:46 PM
  • The above list is INCORRECT!  The logon type numbers are wrong.

    See: http://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx

    They SHOULD be as follows:

    2 - Interactive
    A user logged on to this computer.

    3 - Network
    A user or computer logged on to this computer from the network.

    4 - Batch
    Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

    5 - Service
    A service was started by the Service Control Manager.

    7 - Unlock
    This workstation was unlocked.

    8 - NetworkCleartext
    A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

    9 - NewCredentials
    A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

    10 - RemoteInteractive
    A user logged on to this computer remotely using Terminal Services or Remote Desktop.

    11 - CachedInteractive
    A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

    Friday, April 13, 2012 2:12 PM
  • Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful logons, and 529-537 and 539 for failed logons). Windows supports the following logon types and associated logon type values:

    http://www.windowsecurity.com/articles/logon-types.html
    http://ithompson.wordpress.com/2008/06/06/windows-logon-types/

    However the question is not clear can you let us know what is the issue you are facing.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 2:34 PM
  • Can anyone tell me what logon type 13 is?
    Wednesday, January 16, 2013 8:29 AM
  • google is your friend....
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "RichardBarry" wrote in message news:0484a5c5-c51c-40f1-8374-a44d1650aad6@communitybridge.codeplex.com...
    Can anyone tell me what logon type 13 is?

    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Thursday, January 17, 2013 1:58 PM
    Moderator
  • The above list is INCORRECT!  The logon type numbers are wrong.

    See: http://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx

    They SHOULD be as follows:

    2 - Interactive
    A user logged on to this computer.

    3 - Network
    A user or computer logged on to this computer from the network.

    4 - Batch
    Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

    5 - Service
    A service was started by the Service Control Manager.

    7 - Unlock
    This workstation was unlocked.

    8 - NetworkCleartext
    A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

    9 - NewCredentials
    A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

    10 - RemoteInteractive
    A user logged on to this computer remotely using Terminal Services or Remote Desktop.

    11 - CachedInteractive
    A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

    The question is for Windows Server 2008 your suggested link is for Windows Server 2003.  The Login Types do seem to be different.

    Ray

    Monday, April 20, 2015 4:38 PM
  • typedef enum _SECURITY_LOGON_TYPE {
        UndefinedLogonType = 0, // This is used to specify an undefied logon type
        Interactive = 2,      // Interactively logged on (locally or remotely)
        Network,              // Accessing system via network
        Batch,                // Started via a batch queue
        Service,              // Service started by service controller
        Proxy,                // Proxy logon
        Unlock,               // Unlock workstation
        NetworkCleartext,     // Network logon with cleartext credentials
        NewCredentials,       // Clone caller, new default credentials
        //The types below only exist in Windows XP and greater
    #if (_WIN32_WINNT >= 0x0501)
        RemoteInteractive,  // Remote, yet interactive. Terminal server
        CachedInteractive,  // Try cached credentials without hitting the net.
        // The types below only exist in Windows Server 2003 and greater
    #endif
    #if (_WIN32_WINNT >= 0x0502)
        CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose
        CachedUnlock        // Cached Unlock workstation
    #endif
    } SECURITY_LOGON_TYPE, *PSECURITY_LOGON_TYPE;
    Thursday, July 11, 2019 11:25 AM