Logon Types

This page provides a detailed overview of various Windows logon types, including Interactive, Network, Batch, Service, and others, explaining when and why each logon type occurs. It also covers key scenarios like remote access, cached credentials, and secure vs. insecure logons to help users understand how Windows tracks and logs user authentication events.

Logon Type 1: System.

A logon session was created by the system at startup. This logon type occurs when Windows starts and the system processes use the system account to perform functions or start up tasks.

Logon Type 2: Interactive.

A user logged on to this computer. This event occurs when a user logs on locally, either with a local or domain account. If a domain account is used and the domain controller isn't available, this will be logged with Logon Type 11 instead.

Logon Type 3: Network.

A user or computer logged on to this computer from the network. This occurs when someone accesses the computer remotely over the network, often seen with shared resources.

Logon Type 4: Batch.

Batch logon type used by batch servers where processes are running on behalf of users without direct intervention, typically triggered by scheduled tasks.

Logon Type 5: Service.

A service was started by the Service Control Manager. This happens when Windows starts a service that logs in using a user account rather than special system accounts like "Local System" or "NetworkService."

Logon Type 6: (Not Defined in Standard Logs).

This type does not have a common definition in the event logs, but confusion often arises with Logon Type 9 (NewCredentials), which deals with users running processes with different credentials.

Logon Type 7: Unlock.

The workstation was unlocked. This event occurs when a previously locked workstation is unlocked by a user.

Logon Type 8: NetworkCleartext.

A user logged on from the network, and the password was passed in cleartext (unhashed). This is an insecure method of transmitting credentials and should generally be avoided.

Logon Type 9: NewCredentials.

A caller cloned its current token and specified new credentials for outbound connections. This typically happens when using the RunAs command with the /netonly option to execute a program with different credentials for network connections.

Logon Type 10: RemoteInteractive.

A user logged on remotely using Terminal Services or Remote Desktop. Similar to Logon Type 2 (Interactive), but the connection is made through RDP.

Logon Type 11: CachedInteractive.

A user logged on with network credentials stored locally. This happens when the domain controller is unavailable, and Windows uses cached credentials to allow the logon to proceed.

PreviousGRC NextWhat is Dev-Null ?

Last updated 4 months ago