Windows login log detailed explanation 03/31 Update SLTechnology News&Howtos

Windows login log detailed explanation

2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

Summary: logs are very important in many cases, especially login logs. From the login log, you can find a lot of valuable information, window2008 and later logs are basically the same, 2003 due to too long, Microsoft has stopped updating, so focus on the 2008 login log.

I. Windows login type

The corresponding meaning of Windows login type is shown in the following table:

Type ID

Description information

two

Interactive

A user logged on to this computer at the console

three

Network

A user or computer logged on to this computer from the network

four

Batch

Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention

five

Service

A service was started by the Service Control Manager

seven

Unlock

This workstation was unlocked

eight

NetworkCleartext

A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication

nine

NewCredentials

A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.

ten

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.

eleven

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials

Login type 2: interactive login (Interactive): the login made by the user on the console of the computer, that is, the login on the local keyboard.

Login type 3: network (Network): the most common is to access a network shared folder or printer. In addition, in most cases, logging in to IIS over the network is also recorded as this type, but the basic authentication IIS login is an exception, which will be recorded as type 8.

Login type 4: batch (Batch): when Windows runs a scheduled task, the scheduled Task Service first creates a new login session for the task so that it can run under the user account configured by the scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, it depends on its design. Type 4 login events can also occur at the beginning of work. Type 4 login usually indicates that a scheduled task starts, but it may also be a malicious user guessing the user's password by scheduling the task. this attempt will result in a login failure of type 4, but this failed login may also be caused by the failure of the user password of the scheduled task to change synchronously, for example, the user password has changed And forgot to make changes in the scheduled task.

Login type 5: service (Service): similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for that particular user, which is recorded as type 5, which usually indicates that the user's password has changed and has not been updated here.

Login type 7: unlock (Unlock): many companies have such a security setting: the screensaver locks the computer screen when the user is away from the screen for a period of time. You need to type a user name and password to unlock the screen. The log type generated at this time is Type 7.

Login type 9: new credentials (NewCredentials): login authentication that usually occurs when a program is run in RunAS mode.

Login type 10: remote interaction (RemoteInteractive): when accessing a computer through Terminal Services, remote Desktop, or remote Assistance, Windows will be marked as type 10 to distinguish it from a real console login. Note that previous versions of XP do not support this login type, for example, Windows2000 still records Terminal Services login as type 2.

Login type 11: cache interaction (CachedInteractive): use cache login when you are logged in as a domain user outside your own network and cannot log in to the domain controller. By default, Windows caches the credential HASH for the last 10 interactive domain logins, and if you log in as a domain user later and there is no domain controller available, Windows will use these HASH to verify your identity.

This article was originally created by secisland. Please indicate the source of the reprint. Thank you!

Second, log analysis of common login types (take windows2008 as an example) 1. Local interactive login, which is the most common login method we use every day.

The first is a successful login. According to log analysis, at least two events will occur, namely ID4648 and 4624. The screenshots below are shown from top to bottom.

The audit was successful at 10:36:12 on 2016-9-23 Microsoft Windows security auditing. 4648 login

The audit was successful at 10:36:12 on 2016-9-23 Microsoft Windows security auditing. 4624 login

Now for analysis, the first is the ID4648 event, which indicates that someone is trying to log in with identity credentials and that the user name in the header field is SYSTEM. See what's in the description:

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 10:36:12 on 2016-9-23

Event ID: 4648

Task Category: login

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O (target machine name)

Description:

An attempt was made to log in with explicit credentials. (indicates that someone is trying to log in)

Themes:

Secure ID: SYSTEM

Account name: WIN-K7LDM0NKH6O$ (hostname with $suffix)

Account domain: WORKGROUP (domain name of the host, in this case the host is in a workgroup named "WORKGROUP")

The credentials of which account are used:

Account name: wrh (user name used for login)

Account domain: WIN-K7LDM0NKH6O (target account domain)

Target server:

Target server name: localhost

Additional information: localhost

Process information:

Process ID: 0xfb8

Process name: C:\ Windows\ System32\ winlogon.exe

Network Information:

Network address: 127.0.0.1

Port: 0

Next comes the ID4624 event. Take a look at the description:

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 10:36:12 on 2016-9-23

Event ID: 4624

Task Category: login

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Successfully logged into the account.

Themes:

Secure ID: SYSTEM

Account name: WIN-K7LDM0NKH6O$ (hostname with $suffix)

Account domain: WORKGROUP

New login:

Security ID: WIN-K7LDM0NKH6O\ wrh

Account name: wrh (name of the account logged in)

Account domain: WIN-K7LDM0NKH6O

Process information:

Process ID: 0xfb8

Process name: C:\ Windows\ System32\ winlogon.exe

Network Information:

Workstation name: WIN-K7LDM0NKH6O

Source network address: 127.0.0.1

Source port: 0

Detailed authentication information:

Authentication packet: Negotiate

Delivery service:-

Packet name (NTLM only):-

Key length: 0

Next, take a look at the failed local login. A failed login results in an event log with an ID of 4625.

Audit failed 10:35:13 on 2016-9-23 Microsoft Windows security auditing. 4625 login

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 10:35:13 on 2016-9-23

Event ID: 4625

Task Category: login

Level: information

Keyword: audit failed

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Account login failed.

Themes:

Security ID: WIN-K7LDM0NKH6O\ Administrator

Account name: Administrator

Account domain: WIN-K7LDM0NKH6O

Account that failed to login:

Secure ID: NULL SID

Account name: wrh (name of the account logged in)

Account domain:

Failure message:

Reason for failure: unknown username or password error. (reason for failure)

Status: 0xc000006e

Sub-status: 0xc000006e

Process information:

Caller process ID: 0xec0

Caller process name: C:\ Windows\ System32\ dllhost.exe

Network Information:

Workstation name: WIN-K7LDM0NKH6O

Source network address:-

Source port:-

Detailed authentication information:

Authentication packet: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Delivery service:-

Packet name (NTLM only):-

Key length: 0

This article was originally created by secisland. Please indicate the source of the reprint. Thank you!

2. Use RDP protocol to log in remotely, which is also a common situation in daily life.

When logging in to a host remotely using mstsc, if the account used is an administrator account, there will be events with ID of 4648, 4624, 4672 if successful. The first is a successful login, as shown in the following figure, from which you can see that the ID is 4624, the audit is successful, and the login type is 10 (remote interaction). And the hostname (source workstation) in the description information is still the hostname of the host being attempted to log in, not the source hostname.

The audit was successful at 16:57:55 on 2016-9-23 Microsoft Windows security auditing. 4648 login

The audit was successful at 16:57:55 on 2016-9-23 Microsoft Windows security auditing. 4624 login

The audit was successful at 16:57:55 on 2016-9-23 Microsoft Windows security auditing. 4672 Special login

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:57:55 on 2016-9-23

Event ID: 4648

Task Category: login

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

An attempt was made to log in with explicit credentials.

Themes:

Secure ID: SYSTEM

Account name: WIN-K7LDM0NKH6O$

Account domain: WORKGROUP

The credentials of which account are used:

Account name: Administrator

Account domain: WIN-K7LDM0NKH6O

Target server:

Target server name: localhost

Additional information: localhost

Process information:

Process ID: 0xb3c

Process name: C:\ Windows\ System32\ winlogon.exe

Network Information:

Network address: 192.168.0.122 (source host IP address)

Port: 10898 (source host port)

Next comes the ID4624 event. Take a look at the description:

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:57:55 on 2016-9-23

Event ID: 4624

Task Category: login

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Successfully logged into the account.

Themes:

Secure ID: SYSTEM

Account name: WIN-K7LDM0NKH6O$

Account domain: WORKGROUP

New login:

Security ID: WIN-K7LDM0NKH6O\ Administrator

Account name: Administrator

Account domain: WIN-K7LDM0NKH6O

Process information:

Process ID: 0xb3c

Process name: C:\ Windows\ System32\ winlogon.exe

Network Information:

Workstation name: WIN-K7LDM0NKH6O

Source network address: 192.168.0.122

Source port: 10898

Detailed authentication information:

Authentication packet: Negotiate

Delivery service:-

Packet name (NTLM only):-

Key length: 0

You can see that there are at least three differences between local login and local login. First, the login type ID is 10, indicating remote interactive login, followed by the source network address and source port.

Let's take a look at ID4672, the special login event:

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:57:55 on 2016-9-23

Event ID: 4672

Task category: special login

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Special permissions are assigned to new logins.

Themes:

Security ID: WIN-K7LDM0NKH6O\ Administrator

Account name: Administrator

Account domain: WIN-K7LDM0NKH6O

Privilege: SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

All operations that assign special permissions to the login process belong to the Special Login event. Special permissions refer to all privileged accounts under the account domain WIN-K7LDM0NKH6O that users cannot use to log on to the system, which are reserved for system service processes to perform privileged operations.

Next, take a look at the failed RDP protocol login. A failed login results in an event log with an ID of 4625.

Audit failed 16:57:50 on 2016-9-23 Microsoft Windows security auditing. 4625 login

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:57:50 on 2016-9-23

Event ID: 4625

Task Category: login

Level: information

Keyword: audit failed

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Account login failed.

Themes:

Secure ID: SYSTEM

Account name: WIN-K7LDM0NKH6O$

Account domain: WORKGROUP

Account that failed to login:

Secure ID: NULL SID

Account name: Administrator

Account domain: WIN-K7LDM0NKH6O

Failure message:

Reason for failure: unknown username or password error.

Status: 0xc000006d

Sub-status: 0xc000006a

Process information:

Caller process ID: 0xb3c

Caller process name: C:\ Windows\ System32\ winlogon.exe

Network Information:

Workstation name: WIN-K7LDM0NKH6O

Source network address: 192.168.0.122

Source port: 10898

Detailed authentication information:

Authentication packet: Negotiate

Delivery service:-

Packet name (NTLM only):-

Key length: 0

Login failed with a non-existing user name and an incorrect password, respectively, with an ID of 4625 and a login type of 10 (remote interaction). The audit failed, listing the account name and reason for the login failure.

This article was originally created by secisland. Please indicate the source of the reprint. Thank you!

3. Remotely access a host's shared resources, such as a shared folder.

The first is to access the remote shared host with the correct username and password. The login event ID is 4624 and the login type is 3 (Network). The audit is successful. Lists the source network address and port.

The audit was successful at 16:14:15 on 2016-9-23 Microsoft Windows security auditing. 4624 login

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:14:15 on 2016-9-23

Event ID: 4624

Task Category: login

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Successfully logged into the account.

Themes:

Secure ID: NULL SID

Account name:-

Account domain:-

New login:

Secure ID: ANONYMOUS LOGON

Account name: ANONYMOUS LOGON

Account domain: NT AUTHORITY

Process information:

Process ID: 0x0

Process name:-

Network Information:

Workstation name: CHINA-CE675F3BC

Source network address: 192.168.0.122

Source port: 10234

Detailed authentication information:

Authentication packet: NTLM

Delivery service:-

Packet name (NTLM only): NTLM V1

Key length: 0

If the account name and password used to access the shared resources are correct, but the user does not have access to the specified shared folder, there will still be an authentication success event with an ID of 4624.

Next is the file share log with event ID 5140, showing the name of the shared folder accessed.

The audit was successful at 16:14:15 on 2016-9-23 Microsoft Windows security auditing. 5140 File sharing

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:14:15 on 2016-9-23

Event ID: 5140

Task category: file sharing

Level: information

Keyword: audit successful

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

The network sharing object has been accessed.

Themes:

Security ID: WIN-K7LDM0NKH6O\ wrh

Account name: wrh

Account domain: WIN-K7LDM0NKH6O

Network Information:

Source address: 192.168.0.122

Source port: 10234

Share name:\\ *\ wrh

Let's take a look at the log information of the shared access login failure event ID4625:

Audit failed 15:15:12 on 2016-9-23 Microsoft Windows security auditing. 4625 login

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 15:15:12 on 2016-9-23

Event ID: 4625

Task Category: login

Level: information

Keyword: audit failed

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Account login failed.

Themes:

Secure ID: NULL SID

Account name:-

Account domain:-

Account that failed to login:

Secure ID: NULL SID

Account name: administrator

Account domain: WIN-K7LDM0NKH6O

Failure message:

Reason for failure: unknown username or password error.

Status: 0xc000006d

Sub-status: 0xc000006a

Process information:

Caller process ID: 0x0

Caller process name:-

Network Information:

Workstation name: CHINA-CE675F3BC

Source network address: 192.168.0.122

Source port: 9323

Detailed authentication information:

Authentication packet: NTLM

Delivery service:-

Packet name (NTLM only):-

Key length: 0

Remote login with RDP protocol, login failed with non-existent user name and wrong password, ID is 4625, login type is 3 (network). The audit failed, listing the account name and reason for the login failure.

4. Unlock login

Unlocking login is the same as remote login, there will be events with ID of 4648, 4624, 4672 if successful. The first is a successful login, as shown in the following figure, from which you can see that the ID is 4624, the audit is successful, and the login type is 7 (Unlock).

The audit was successful at 16:28:41 on 2016-9-23 Microsoft Windows security auditing. 4648 login

The audit was successful at 16:28:41 on 2016-9-23 Microsoft Windows security auditing. 4624 login

The audit was successful at 16:28:41 on 2016-9-23 Microsoft Windows security auditing. 4672 Special login

Next, take a look at the failed unlocked login. Similarly, a failed login results in an event log with an ID of 4625.

Audit failed 16:28:35 on 2016-9-23 Microsoft Windows security auditing. 4625 login

Log name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 16:28:35 on 2016-9-23

Event ID: 4625

Task Category: login

Level: information

Keyword: audit failed

User: temporarily vacant

Computer: WIN-K7LDM0NKH6O

Description:

Account login failed.

Themes:

Secure ID: SYSTEM

Account name: WIN-K7LDM0NKH6O$

Account domain: WORKGROUP

Account that failed to login:

Secure ID: NULL SID

Account name: Administrator

Account domain: WIN-K7LDM0NKH6O

Failure message:

Reason for failure: unknown username or password error.

Status: 0xc000006d

Sub-status: 0xc000006a

Process information:

Caller process ID: 0x204

Caller process name: C:\ Windows\ System32\ winlogon.exe

Network Information:

Workstation name: WIN-K7LDM0NKH6O

Source network address: 192.168.0.122

Source port: 10156

Detailed authentication information:

Authentication packet: Negotiate

Delivery service:-

Packet name (NTLM only):-

Key length: 0

Similarly, the login failed with a non-existent user name and the wrong password, respectively, with an ID of 4625 and a login type of 7 (unlock). The audit failed, listing the account name and reason for the login failure.

Finally, let's summarize the "audit login" event:

A 4648 event is generated when a process attempts to log in to an account by explicitly specifying its credentials.

A successful login usually produces a 4624 event, which is generated on the computer being accessed after the login session is created.

4672 events will occur if the user is privileged.

Typically, you only need to focus on 4625 login failure events with login types of 2, 3, 7, and 10.

This article was originally created by secisland. Please indicate the source of the reprint. Thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.