Security Events Logon Type Definitions


Taken from ntsecapi.h in the security subdirectory on
the Win32 SDK CD. Used by a logon process to indicate what type of logon is
being requested.

typedef enum _SECURITY_LOGON_TYPE
{
Interactive = 2, // Interactively logged on (locally or remotely)
Network = 3, // Accessing system via network
Batch = 4, // Started via a batch queue
Service = 5, // Service started by service controller
Proxy = 6, // Proxy logon
Unlock = 7 // Unlock workstation
}

Logon Events (interactive):

A successful logon event generates Event ID 528, Logon Type 2. A logoff
event generates Event ID 538, Logon
Type 2
.

Connection Events (network):

A successful Net
Use
or File Manager connection or a successful
Net View generates Event ID
528
, Logon Type 3.

Connection events are sessions at the server level and are generated only by
the initial connection from a particular user. Later Net
Views
or Net Uses from the same user to the same
computer do not generate logged events unless the user has disconnected (or has
been autodisconnected) from all shares.

See q103390 for a discussion of the NT account validation
across networks.


Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files

Forensics:
CrashOnAuditFail

Restrict access to Application
and System event logs

Security Event
Descriptions

Security Events Logon Type
Definitions

Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made
available a Windows NT Eventlog FAQ .

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top