In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/02 Report--
Summary: logs are very important in many cases, especially login logs. From the login log, you can find a lot of valuable information, window2008 and later logs are basically the same, 2003 due to too long, Microsoft has stopped updating, so focus on the 2008 login log.
I. Windows login type
The corresponding meaning of Windows login type is shown in the following table:
Type ID
Login mode
Description information
two
Interactive
A user logged on to this computer at the console
three
Network
A user or computer logged on to this computer from the network
four
Batch
Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention
five
Service
A service was started by the Service Control Manager
seven
Unlock
This workstation was unlocked
eight
NetworkCleartext
A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication
nine
NewCredentials
A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
ten
RemoteInteractive
A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
eleven
CachedInteractive
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials
Login type 2: interactive login (Interactive): the login made by the user on the console of the computer, that is, the login on the local keyboard.
Login type 3: network (Network): the most common is to access a network shared folder or printer. In addition, in most cases, logging in to IIS over the network is also recorded as this type, but the basic authentication IIS login is an exception, which will be recorded as type 8.
Login type 4: batch (Batch): when Windows runs a scheduled task, the scheduled Task Service first creates a new login session for the task so that it can run under the user account configured by the scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, it depends on its design. Type 4 login events can also occur at the beginning of work. Type 4 login usually indicates that a scheduled task starts, but it may also be a malicious user guessing the user's password by scheduling the task. this attempt will result in a login failure of type 4, but this failed login may also be caused by the failure of the user password of the scheduled task to change synchronously, for example, the user password has changed And forgot to make changes in the scheduled task.
Login type 5: service (Service): similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for that particular user, which is recorded as type 5, which usually indicates that the user's password has changed and has not been updated here.
Login type 7: unlock (Unlock): many companies have such a security setting: the screensaver locks the computer screen when the user is away from the screen for a period of time. You need to type a user name and password to unlock the screen. The log type generated at this time is Type 7.
Login type 8: network plaintext (NetworkCleartext): ASP login that usually occurs in IIS. Not recommended.
Login type 9: new credentials (NewCredentials): login authentication that usually occurs when a program is run in RunAS mode.
Login type 10: remote interaction (RemoteInteractive): when accessing a computer through Terminal Services, remote Desktop, or remote Assistance, Windows will be marked as type 10 to distinguish it from a real console login. Note that previous versions of XP do not support this login type, for example, Windows2000 still records Terminal Services login as type 2.
Login type 11: cache interaction (CachedInteractive): use cache login when you are logged in as a domain user outside your own network and cannot log in to the domain controller. By default, Windows caches the credential HASH for the last 10 interactive domain logins, and if you log in as a domain user later and there is no domain controller available, Windows will use these HASH to verify your identity.
This article was originally created by secisland. Please indicate the source of the reprint. Thank you!
Second, log analysis of common login types (take windows2008 as an example) 1. Local interactive login, which is the most common login method we use every day.
The first is a successful login. According to log analysis, at least two events will occur, namely ID4648 and 4624. The screenshots below are shown from top to bottom.
The audit was successful at 10:36:12 on 2016-9-23 Microsoft Windows security auditing. 4648 login
The audit was successful at 10:36:12 on 2016-9-23 Microsoft Windows security auditing. 4624 login
Now for analysis, the first is the ID4648 event, which indicates that someone is trying to log in with identity credentials and that the user name in the header field is SYSTEM. See what's in the description:
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10:36:12 on 2016-9-23
Event ID: 4648
Task Category: login
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O (target machine name)
Description:
An attempt was made to log in with explicit credentials. (indicates that someone is trying to log in)
Themes:
Secure ID: SYSTEM
Account name: WIN-K7LDM0NKH6O$ (hostname with $suffix)
Account domain: WORKGROUP (domain name of the host, in this case the host is in a workgroup named "WORKGROUP")
Log in to ID: 0x3e7
Log in to GUID: {00000000-0000-0000-0000-000000000000}
The credentials of which account are used:
Account name: wrh (user name used for login)
Account domain: WIN-K7LDM0NKH6O (target account domain)
Log in to GUID: {00000000-0000-0000-0000-000000000000}
Target server:
Target server name: localhost
Additional information: localhost
Process information:
Process ID: 0xfb8
Process name: C:\ Windows\ System32\ winlogon.exe
Network Information:
Network address: 127.0.0.1
Port: 0
Next comes the ID4624 event. Take a look at the description:
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10:36:12 on 2016-9-23
Event ID: 4624
Task Category: login
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Successfully logged into the account.
Themes:
Secure ID: SYSTEM
Account name: WIN-K7LDM0NKH6O$ (hostname with $suffix)
Account domain: WORKGROUP
Log in to ID: 0x3e7
Login type: 2 (interactive login)
New login:
Security ID: WIN-K7LDM0NKH6O\ wrh
Account name: wrh (name of the account logged in)
Account domain: WIN-K7LDM0NKH6O
Log in to ID: 0x51a72
Log in to GUID: {00000000-0000-0000-0000-000000000000}
Process information:
Process ID: 0xfb8
Process name: C:\ Windows\ System32\ winlogon.exe
Network Information:
Workstation name: WIN-K7LDM0NKH6O
Source network address: 127.0.0.1
Source port: 0
Detailed authentication information:
Login process: User32
Authentication packet: Negotiate
Delivery service:-
Packet name (NTLM only):-
Key length: 0
Next, take a look at the failed local login. A failed login results in an event log with an ID of 4625.
Audit failed 10:35:13 on 2016-9-23 Microsoft Windows security auditing. 4625 login
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10:35:13 on 2016-9-23
Event ID: 4625
Task Category: login
Level: information
Keyword: audit failed
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Account login failed.
Themes:
Security ID: WIN-K7LDM0NKH6O\ Administrator
Account name: Administrator
Account domain: WIN-K7LDM0NKH6O
Log in to ID: 0x1f903
Login type: 2 (interactive login)
Account that failed to login:
Secure ID: NULL SID
Account name: wrh (name of the account logged in)
Account domain:
Failure message:
Reason for failure: unknown username or password error. (reason for failure)
Status: 0xc000006e
Sub-status: 0xc000006e
Process information:
Caller process ID: 0xec0
Caller process name: C:\ Windows\ System32\ dllhost.exe
Network Information:
Workstation name: WIN-K7LDM0NKH6O
Source network address:-
Source port:-
Detailed authentication information:
Login process: Advapi
Authentication packet: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Delivery service:-
Packet name (NTLM only):-
Key length: 0
This article was originally created by secisland. Please indicate the source of the reprint. Thank you!
2. Use RDP protocol to log in remotely, which is also a common situation in daily life.
When logging in to a host remotely using mstsc, if the account used is an administrator account, there will be events with ID of 4648, 4624, 4672 if successful. The first is a successful login, as shown in the following figure, from which you can see that the ID is 4624, the audit is successful, and the login type is 10 (remote interaction). And the hostname (source workstation) in the description information is still the hostname of the host being attempted to log in, not the source hostname.
The audit was successful at 16:57:55 on 2016-9-23 Microsoft Windows security auditing. 4648 login
The audit was successful at 16:57:55 on 2016-9-23 Microsoft Windows security auditing. 4624 login
The audit was successful at 16:57:55 on 2016-9-23 Microsoft Windows security auditing. 4672 Special login
Now for analysis, the first is the ID4648 event, which indicates that someone is trying to log in with identity credentials and that the user name in the header field is SYSTEM. See what's in the description:
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:57:55 on 2016-9-23
Event ID: 4648
Task Category: login
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
An attempt was made to log in with explicit credentials.
Themes:
Secure ID: SYSTEM
Account name: WIN-K7LDM0NKH6O$
Account domain: WORKGROUP
Log in to ID: 0x3e7
Log in to GUID: {00000000-0000-0000-0000-000000000000}
The credentials of which account are used:
Account name: Administrator
Account domain: WIN-K7LDM0NKH6O
Log in to GUID: {00000000-0000-0000-0000-000000000000}
Target server:
Target server name: localhost
Additional information: localhost
Process information:
Process ID: 0xb3c
Process name: C:\ Windows\ System32\ winlogon.exe
Network Information:
Network address: 192.168.0.122 (source host IP address)
Port: 10898 (source host port)
Next comes the ID4624 event. Take a look at the description:
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:57:55 on 2016-9-23
Event ID: 4624
Task Category: login
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Successfully logged into the account.
Themes:
Secure ID: SYSTEM
Account name: WIN-K7LDM0NKH6O$
Account domain: WORKGROUP
Log in to ID: 0x3e7
Login type: 10
New login:
Security ID: WIN-K7LDM0NKH6O\ Administrator
Account name: Administrator
Account domain: WIN-K7LDM0NKH6O
Log in to ID: 0xa93db
Log in to GUID: {00000000-0000-0000-0000-000000000000}
Process information:
Process ID: 0xb3c
Process name: C:\ Windows\ System32\ winlogon.exe
Network Information:
Workstation name: WIN-K7LDM0NKH6O
Source network address: 192.168.0.122
Source port: 10898
Detailed authentication information:
Login process: User32
Authentication packet: Negotiate
Delivery service:-
Packet name (NTLM only):-
Key length: 0
You can see that there are at least three differences between local login and local login. First, the login type ID is 10, indicating remote interactive login, followed by the source network address and source port.
Let's take a look at ID4672, the special login event:
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:57:55 on 2016-9-23
Event ID: 4672
Task category: special login
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Special permissions are assigned to new logins.
Themes:
Security ID: WIN-K7LDM0NKH6O\ Administrator
Account name: Administrator
Account domain: WIN-K7LDM0NKH6O
Log in to ID: 0xa93db
Privilege: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
All operations that assign special permissions to the login process belong to the Special Login event. Special permissions refer to all privileged accounts under the account domain WIN-K7LDM0NKH6O that users cannot use to log on to the system, which are reserved for system service processes to perform privileged operations.
Next, take a look at the failed RDP protocol login. A failed login results in an event log with an ID of 4625.
Audit failed 16:57:50 on 2016-9-23 Microsoft Windows security auditing. 4625 login
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:57:50 on 2016-9-23
Event ID: 4625
Task Category: login
Level: information
Keyword: audit failed
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Account login failed.
Themes:
Secure ID: SYSTEM
Account name: WIN-K7LDM0NKH6O$
Account domain: WORKGROUP
Log in to ID: 0x3e7
Login type: 10
Account that failed to login:
Secure ID: NULL SID
Account name: Administrator
Account domain: WIN-K7LDM0NKH6O
Failure message:
Reason for failure: unknown username or password error.
Status: 0xc000006d
Sub-status: 0xc000006a
Process information:
Caller process ID: 0xb3c
Caller process name: C:\ Windows\ System32\ winlogon.exe
Network Information:
Workstation name: WIN-K7LDM0NKH6O
Source network address: 192.168.0.122
Source port: 10898
Detailed authentication information:
Login process: User32
Authentication packet: Negotiate
Delivery service:-
Packet name (NTLM only):-
Key length: 0
Login failed with a non-existing user name and an incorrect password, respectively, with an ID of 4625 and a login type of 10 (remote interaction). The audit failed, listing the account name and reason for the login failure.
This article was originally created by secisland. Please indicate the source of the reprint. Thank you!
3. Remotely access a host's shared resources, such as a shared folder.
The first is to access the remote shared host with the correct username and password. The login event ID is 4624 and the login type is 3 (Network). The audit is successful. Lists the source network address and port.
The audit was successful at 16:14:15 on 2016-9-23 Microsoft Windows security auditing. 4624 login
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:14:15 on 2016-9-23
Event ID: 4624
Task Category: login
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Successfully logged into the account.
Themes:
Secure ID: NULL SID
Account name:-
Account domain:-
Log in to ID: 0x0
Login type: 3
New login:
Secure ID: ANONYMOUS LOGON
Account name: ANONYMOUS LOGON
Account domain: NT AUTHORITY
Log in to ID: 0x6ae53
Log in to GUID: {00000000-0000-0000-0000-000000000000}
Process information:
Process ID: 0x0
Process name:-
Network Information:
Workstation name: CHINA-CE675F3BC
Source network address: 192.168.0.122
Source port: 10234
Detailed authentication information:
Login process: NtLmSsp
Authentication packet: NTLM
Delivery service:-
Packet name (NTLM only): NTLM V1
Key length: 0
If the account name and password used to access the shared resources are correct, but the user does not have access to the specified shared folder, there will still be an authentication success event with an ID of 4624.
Next is the file share log with event ID 5140, showing the name of the shared folder accessed.
The audit was successful at 16:14:15 on 2016-9-23 Microsoft Windows security auditing. 5140 File sharing
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:14:15 on 2016-9-23
Event ID: 5140
Task category: file sharing
Level: information
Keyword: audit successful
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
The network sharing object has been accessed.
Themes:
Security ID: WIN-K7LDM0NKH6O\ wrh
Account name: wrh
Account domain: WIN-K7LDM0NKH6O
Log in to ID: 0x6ae28
Network Information:
Source address: 192.168.0.122
Source port: 10234
Share name:\\ *\ wrh
Let's take a look at the log information of the shared access login failure event ID4625:
Audit failed 15:15:12 on 2016-9-23 Microsoft Windows security auditing. 4625 login
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 15:15:12 on 2016-9-23
Event ID: 4625
Task Category: login
Level: information
Keyword: audit failed
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Account login failed.
Themes:
Secure ID: NULL SID
Account name:-
Account domain:-
Log in to ID: 0x0
Login type: 3
Account that failed to login:
Secure ID: NULL SID
Account name: administrator
Account domain: WIN-K7LDM0NKH6O
Failure message:
Reason for failure: unknown username or password error.
Status: 0xc000006d
Sub-status: 0xc000006a
Process information:
Caller process ID: 0x0
Caller process name:-
Network Information:
Workstation name: CHINA-CE675F3BC
Source network address: 192.168.0.122
Source port: 9323
Detailed authentication information:
Login process: NtLmSsp
Authentication packet: NTLM
Delivery service:-
Packet name (NTLM only):-
Key length: 0
Remote login with RDP protocol, login failed with non-existent user name and wrong password, ID is 4625, login type is 3 (network). The audit failed, listing the account name and reason for the login failure.
4. Unlock login
Unlocking login is the same as remote login, there will be events with ID of 4648, 4624, 4672 if successful. The first is a successful login, as shown in the following figure, from which you can see that the ID is 4624, the audit is successful, and the login type is 7 (Unlock).
The audit was successful at 16:28:41 on 2016-9-23 Microsoft Windows security auditing. 4648 login
The audit was successful at 16:28:41 on 2016-9-23 Microsoft Windows security auditing. 4624 login
The audit was successful at 16:28:41 on 2016-9-23 Microsoft Windows security auditing. 4672 Special login
Next, take a look at the failed unlocked login. Similarly, a failed login results in an event log with an ID of 4625.
Audit failed 16:28:35 on 2016-9-23 Microsoft Windows security auditing. 4625 login
Log name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 16:28:35 on 2016-9-23
Event ID: 4625
Task Category: login
Level: information
Keyword: audit failed
User: temporarily vacant
Computer: WIN-K7LDM0NKH6O
Description:
Account login failed.
Themes:
Secure ID: SYSTEM
Account name: WIN-K7LDM0NKH6O$
Account domain: WORKGROUP
Log in to ID: 0x3e7
Login type: 7
Account that failed to login:
Secure ID: NULL SID
Account name: Administrator
Account domain: WIN-K7LDM0NKH6O
Failure message:
Reason for failure: unknown username or password error.
Status: 0xc000006d
Sub-status: 0xc000006a
Process information:
Caller process ID: 0x204
Caller process name: C:\ Windows\ System32\ winlogon.exe
Network Information:
Workstation name: WIN-K7LDM0NKH6O
Source network address: 192.168.0.122
Source port: 10156
Detailed authentication information:
Login process: User32
Authentication packet: Negotiate
Delivery service:-
Packet name (NTLM only):-
Key length: 0
Similarly, the login failed with a non-existent user name and the wrong password, respectively, with an ID of 4625 and a login type of 7 (unlock). The audit failed, listing the account name and reason for the login failure.
Finally, let's summarize the "audit login" event:
A 4648 event is generated when a process attempts to log in to an account by explicitly specifying its credentials.
A successful login usually produces a 4624 event, which is generated on the computer being accessed after the login session is created.
4672 events will occur if the user is privileged.
Typically, you only need to focus on 4625 login failure events with login types of 2, 3, 7, and 10.
This article was originally created by secisland. Please indicate the source of the reprint. Thank you!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 283
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.