Configure Audit Logon Events Policy: · Web viewAdministrator can configure Account Management...


Citation preview

Windows 8.1 Audit Policy - Audit Logon Events

SummaryThe following article is applicable to Windows 8.1 PC configured in Workgroup mode. The procedure would change when Windows 8.1 is configured in Active Directory Domain


This article provides Administrators with extensive detail about Logon / Logoff Event IDs which gets registered when Security Principal gets logged in / Logged out of Windows 8.1 Preview Operating System configured in Workgroup mode. This document explain the steps to configure the Policy, provides list of all the Event IDs that gets register in the Windows 8.1 Event Log for every logon / logoff activity. This article lists various examples of logon / logoff events in great detail which help Administrators to track Logon / Logoff activities on Windows 8.1 PC.




Policy Description:

This security setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer. Log off events are generated whenever a logged on user account's logon session is terminated. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).







Administrator can configure Account Management Auditing policy using Local Security Policy wizard or using GPEDIT.msc wizard. Below are the steps to configure Account Management Auditing.


         Step1: Launch Local Security Policy by entering "Secpol.msc" from the Run command as shown below or by navigating to Control Panel --> Administrative Tools --> double click on Local Security Policy



         Step2: From the Local Security Policy wizard, navigate to Local Policies, and select Audit Policy, as shown below




         Step3: Right click Audit Logon events policy and click Properties. Check both Success and Failure options as shown below




         Step4: Click Apply and OK to apply the changes.The events will gets registered in Event Viewer under Security Event Logs.


It is very important for Administrators to understand Windows Logon Types, before enabling auditing. Windows 8.1 Preview follows the below list of Logon Types. 


Logon type Logon title Description

2 Interactive A user logged on to this computer.3 Network A user or computer logged on to this computer from the network.

4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5 Service A service was started by the Service Control Manager.7 Unlock This workstation was unlocked.

8 NetworkCleartext

A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9 NewCredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11 CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.




This section provides Administrators with detail about Logon Event IDs that gets register on Windows 8.1 Preview PC and explains various scenarios that register Logon events in the Event Viewer. Both Success and Failure Logon Events are covered in depth.



Logon Events which gets registered when User successfully logon to Windows 8.1 Preview PC. Users can login to Windows 8.1 Preview PC / Windows 8.1 PC in different ways such as

a) Windows Logon

b) Remote Desktop Logon

                    c) Microsoft Account Logon



            Windows Logon Events (Logon Type 2)

                         Event ID: 4648                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials


                          Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on



            Windows Logon Events (Logon Type 3)

                         Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on



            Windows Logon Events (Logon Type 4)  

                         Event ID: 4648                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials

                          Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on



            Windows Logon Events (Logon Type 5)  

                         Event ID: 4648

                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials                     

                         Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on



            Windows Logon Events (Logon Type 5)

                         Event ID: 4648                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials                                              Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on

                          Event ID: 4672                               Type: Audit Success                         Category: Logon                    Description: Special privileges assigned to new logon



            Windows Logon Events (Logon Type 7)

                         Event ID: 4648                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials                                              Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on             



            Remote Desktop Logon (Logon Type 10)                        

                        Event ID: 4648                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials  

                                         Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on          




            Microsoft Account / Live Account / Hotmail Account Login (Logon Type 7)

                         Event ID: 4648                               Type: Audit Success                         Category: Logon                    Description: A logon was attempted using explicit credentials                            Event ID: 4624                               Type: Audit Success                         Category: Logon                    Description: An account was successfully logged on





           Windows Logon Events (Logon Type 2):

           This is the most common method of User log into Windows 8.1 Preview PC. In the below example, StandardWorker1 was used to login to Windows 8.1 Preview PC. 







           Windows Success Logon (Logon Type 2): Below Event IDs gets register when User tries to launch an application using Run As option and enter valid User name and Password. In the below example, PowerUserII account is used to open MMC.exe using Run As option.






           Windows Success Logon (Logon Type 2): Below Event IDs gets register when an application is accessed within PowerShell. In my below example, PowerShell running under Administrator account tries to access MMC.exe with explicit user credentials. The code is as follows


           $Username = "PowerUserII"

                    $Password = P@ssw0rd

                    $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList

                     @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))                       

                    Start-Process "c:\windows\system32\mmc.exe" -Credential ($credentials)







           Windows Success Logon (Logon Type 3): Below Event ID gets register when User access shared folder. In the below example, Access-Share folder is accessed from remote computer and when prompted for User Credentials, PowerUserII account is used.







           Windows Success Logon (Logon Type 4): Below Events IDs are registered when Schedule Task gets executed with specific User Account. In the below example, I have created a Schedule task to start Notepad.exe with PowerUser account.

           Note: User account should be provisioned with logon with batch rights







           Windows Success Logon (Logon Type 5): Below Event IDs gets register when Windows Services are configured and started with explicit User Accounts. In the below example Windows Service Windows Image Acquisition is using PowerUser account.






           Windows Success Logon (Logon Type 7): Below Events gets register when user unlock his windows 8.1 desktop which is locked due to Password Protected screen saver. In my below example, PowerUser session is configured with Password Protected Screen Saver and his

session gets locked after specified time under Screen Saver option. When user unlocks his Password Protected Windows logon session, below Event ID gets registered.






           Remote Desktop Logon (Logon Type 10): The Logon Type for RDP login is 10. In the below example, PowerUser account was used to RDP into Windows 8.1 Preview client.   







           Microsoft Account / Live Account / Hotmail Account Login (Logon Type 7): Though the Event IDs are same for Windows Logon / RDP / Microsoft Account logon's , the difference is in the Logon Type which is 7 when logged into Windows 8.1 Preview PC using Live credentials. In the below example, I have logged in with my Microsoft ID which is 













Failed Logon Events gets registered when User account fails to logon to Windows 8.1 PC Administrators will see Audit Failure events in the Event Viewer in the event of Login failure ,some of the Failed Logon Scenarios includes

           a) User entering wrong password

           b) Accessing an application ( RunAs) with disabled user Account

           c) Administrator disables User Account who is currently logged on to the PC

       d) User entering wrong password with his account status is disabled (covering two scenarios of Wrong Password + Disabled account )

          Note: In a scenario where Account Lockout Threshold is set to 2 attempts and Administrator disable the User Account, Account Lockout takes priority over disable state.


            Windows Logon Events (Logon Type 2)

                         Event ID: 4625                               Type: Audit Failure                        Category: Logon                    Description: An Account failed to log on



            Windows Logon Events (Logon Type 3)

                         Event ID: 4625                               Type: Audit Failure                        Category: Logon                    Description: An Account failed to log on



            Windows Logon Events (Logon Type 3)

                         Event ID: 4625                               Type: Audit Failure                        Category: Logon                    Description: An Account failed to log on




1.2.4 FAILED  LOGON  EVENTS  SCENARIOS: Windows Logon:      


 Windows Failed Logon Events (Logon Type 2): Below Event ID gets registered when User tried to run an executable on Windows 8.1 Preview PC with User Account status as Disabled. In the below example, User with Disabled status, tries to run an executable using Runas and it fails with below Security Audit getting registered.





           Windows Failed Logon Event (Logon Type 2): Below Event ID gets register when User try to login to PC with his account status as Locked. As a test, Standard User locks his workstation and Administrator disables his account ( the reasons may differ) , when the same Standard User tries to unlock his workstation, it fails with account disabled message on Logon screen.






          Windows Failed Logon Event (Logon Type 2 and Logon Type 3): Below Event ID gets register when User with Disabled status enter wrong password, windows registers with two event ID's with different Failure Information

                 a) Account currently disabled

                 b) Unknown username or bad password 







           Windows Failed Logon Event (Logon Type 2): Below Event ID gets register when User enter wrong password to log on to Windows 8.1 Preview PC.





           Windows Failed Logon Event (Logon Type 2): Below Event ID is registered, where Account Lockout Threshold is set to 2 attempts and Administrator disable the User Account, Account Lockout takes priority over disable state and registers Account Lockout audit failure message in the Event Viewer.





           Windows Failed Logon Event (Logon Type 2): Below Event ID gets registered when User tries to run an application with invalid User Name.





           Windows Failure Logon Event (Logon Type 2): Below Event ID gets register when User Password gets expired and prompts User to change Password.




     Remote Desktop Logon:        

           Windows Failed Logon Event (Logon Type 3): Below Event ID gets registered when User enters wrong password when connecting through Remote Desktop Services / RDP session.





           Windows Failed Logon Event (Logon Type 3): Below Event ID gets registered when User enters wrong User Name when connecting through Remote Desktop Services / RDP session.





           Windows Failed Logon Event (Logon Type 3 and Logon Type 10): Below Event IDs gets registered when Disabled User tries to Remote Desktop into Windows 8.1 Preview PC.







           Windows Failure Logon Event (Logon Type 3 and Logon Type 10 ): Below Event IDs are registered when Locked User account tries to Remote Desktop into Windows 8.1 PC.







           Windows Failure Logon Event Type (Logon Type 3 and Logon Type 10): Below Event IDs gets register when User logon through Remote Desktop Services / RDP Session and his password has expired.






        Microsoft Account Logon: 


           Windows Logon Event Type (Logon Type 2 and Logon Type 3): Below Event IDs are registered when User login with Microsoft Account and enter wrong password.








           Windows Failed Logon Event (Logon Type 2): Below Event ID gets register when User tries to run application / executable using Microsoft Account and uses wrong password. In the below

example User tries to run cmd.exe with Runas option and uses his Microsoft Account with wrong password





           Windows Failed Logon Event (Logon Type 2):Below Event ID gets register when User tries to run application / executable using invalid \ wrong Microsoft Account. In the below example User tries to run cmd.exe with Runas option and uses invalid \ wrong Microsoft Account.





           Windows Failed Logon Event (Logon Type 3): Below Event ID gets register when User enter invalid password when trying to Remote desktop using his Microsoft Account. In the below example, account is used to RDP into Windows 8.1 Preview PC with invalid password.





           Windows Failed Logon Event (Logon Type 3): Below Event ID gets register when User enter invalid Email ID when trying to Remote desktop into Windows 8.1 Preview PC. In the below example, account is used to RDP into Windows 8.1 Preview PC which is invalid Email ID.











Windows 8.1 Preview Operating System register Logoff events when Security Principal successfully logoff from Windows desktop / Remote Desktop session / Windows Services / Microsoft account respectively.





            Windows Logon Events (Logon Type 2)

                         Event ID: 4647                               Type: Audit Success                         Category: Logoff                    Description: User Initiated Logoff

                          Event ID: 4634                               Type: Audit Success                         Category: Logoff                    Description: An account was logged off



            Windows Logon Events (Logon Type 3)

                         Event ID: 4643                               Type: Audit Success                         Category: Logoff                    Description: An account was logged off



            Windows Logon Events (Logon Type 4)

                         Event ID: 4643                               Type: Audit Success                         Category: Logoff                    Description: An account was logged off



            Windows Logon Events (Logon Type 5)

                         Event ID: 4643                               Type: Audit Success                         Category: Logoff                    Description: An account was logged off



            Windows Logon Events (Logon Type 9)

                         Event ID: 4643                               Type: Audit Success                         Category: Logoff                    Description: An account was logged off



            Windows Logon Events (Logon Type 10)

                         Event ID: 4643                               Type: Audit Success                         Category: Logoff                    Description: An account was logged off








           Windows Success Logoff Event (Logon Type 2): Below are the Event IDs gets register when User Logoff from Windows 8.1 Preview PC.







           Windows Success Logoff Event (Logon Type 3): Below Event ID gets register when User logoff from Network share. In the below example, PowerUser logged off from Shared Network drive





           Windows Success Logoff Event (logon Type 4): Below Event ID gets register when Administrator end a Scheduled Task activity which is run with specific User account. In my below example, a Scheduled Task is configured with PowerUser and after the Task completion, the Task is set to End state by Administrator which registers logoff event id as shown below.





           Windows Success Logoff Event (Logon Type 5): Below Event ID gets register when a Windows Service which is configured with User account enters Stop state / Administrator stop the service. In the below example, Windows Image Acquisition service is stopped by the User.





            Windows Success Logoff Event (Logon Type 9): Below Event ID gets register when a User account logoff from RunAs /Netonly session. In my below example, MMC.exe application is accessed using RunAs /Netonly as shown below

             runas /netonly /user:win8-1\poweruser mmc.exe


                      When User close MMC.exe an event gets register in Event viewer.





            Windows Success Logoff Event (logon Type 10): Below Event ID gets register when an            User successfully logoff from Remote Desktop Session. In my below example, PowerUser            logoff from Remote Desktop Session.











Conclusion: This article provides extensive information about the Logon Events that gets registered on Windows 8.1 Preview Operating System. Most of the Event IDs are similar to Windows 8 / Windows 7PC. This article helps Operation Managers/ Architects / System Engineers to orchestrate / automate Audit event IDs respectively. 
