Scribd
Upload
593 views

Logon Type Codes

Windows uses logon types to identify the method a user logged into a system. Logon types include interactive (Type 2), network (Type 3), batch (Type 4), service (Type 5), unlock (Type 7), network cleartext (Type 8), new credentials (Type 9), remote interactive (Type 10), and cached interactive (Type 11). Each logon type represents a different authentication method like at the local console, over the network, via a scheduled task, or in cached credentials on a laptop.

Uploaded by

Francesco Calciano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
593 views

Logon Type Codes

Windows uses logon types to identify the method a user logged into a system. Logon types include interactive (Type 2), network (Type 3), batch (Type 4), service (Type 5), unlock (Type 7), network cleartext (Type 8), new credentials (Type 9), remote interactive (Type 10), and cached interactive (Type 11). Each logon type represents a different authentication method like at the local console, over the network, via a scheduled task, or in cached credentials on a laptop.

Uploaded by

Francesco Calciano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

LOGON TYPE CODES

Cheat Sheet
Interactive
Type 2 A logon at the console of a computer, whether with a domain account or a local
account from the computer’s local SAM. To tell the difference, look for the domain
or computer name preceding the user name in the event’s description.

Network
Type 3 When accessing a computer from elsewhere on the network. Most commonly
connections to shared folders or printers, and other over-the-network logons.

Batch
Type 4 Logon sessions created by Windows when it executes a scheduled task to run it
under the authority of the specified user account. Other job scheduling systems may
also generate type 4 logon events when starting jobs.

Service
Type 5 Similar to scheduled tasks, each service is configured to run as a specified user
account. When a service starts, Windows first creates a logon session which results in
a type 5 logon event.

Unlock
Type 7 When a user returns to their workstation and attempts to unlock the console from the
password protected screen saver mode, Windows treats this as a logon and logs the
event as type 7.

NetworkCleartext
Type 8 Indicates a network logon, like logon type 3, but where the password was sent over
the network as clear text. Windows server doesn’t allow connection to shared file or
printers with clear text authentication. These logons can happen from within an ASP
script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication
mode. In both cases the logon process in the event’s description will list advapi.

NewCredentials
Type 9 If you use the RunAs command to start a program under a different user account and
specify the /netonly switch, Windows records a logon/logoff event with logon type 9.

RemoteInteractive
Type 10 When you access a computer through Terminal Services, Remote Desktop or Remote
Assistance, Windows logs the logon attempt with logon type 10. (Prior to XP,
Windows 2000 doesn’t use logon type 10 and Terminal Services logons are reported
as logon type 2.)

CachedInteractive
Type 11 Cached logons facilitate mobile users. Windows caches a hash of the last 10
interactive domain logon credentials . Later, when you are not connected to your
organization’s network and attempt to logon to your laptop with a domain account
and there’s no domain controller available for verification, Windows uses these hashes
to verify your identity.
LOGON TYPE CODES
Cheat Sheet
Interactive
Type 2 A logon at the console of a computer, whether with a domain account or a local
account from the computer’s local SAM. To tell the difference, look for the domain
or computer name preceding the user name in the event’s description.

Network
Type 3 When accessing a computer from elsewhere on the network. Most commonly
connections to shared folders or printers, and other over-the-network logons.

Batch
Type 4 Logon sessions created by Windows when it executes a scheduled task to run it
under the authority of the specified user account. Other job scheduling systems may
also generate type 4 logon events when starting jobs.

Service
Type 5 Similar to scheduled tasks, each service is configured to run as a specified user
account. When a service starts, Windows first creates a logon session which results in
a type 5 logon event.

Unlock
Type 7 When a user returns to their workstation and attempts to unlock the console from the
password protected screen saver mode, Windows treats this as a logon and logs the
event as type 7.

NetworkCleartext
Type 8 Indicates a network logon, like logon type 3, but where the password was sent over
the network as clear text. Windows server doesn’t allow connection to shared file or
printers with clear text authentication. These logons can happen from within an ASP
script using the ADVAPI or when a user logs on to IIS using IIS’s basic authentication
mode. In both cases the logon process in the event’s description will list advapi.

NewCredentials
Type 9 If you use the RunAs command to start a program under a different user account and
specify the /netonly switch, Windows records a logon/logoff event with logon type 9.

RemoteInteractive
Type 10 When you access a computer through Terminal Services, Remote Desktop or Remote
Assistance, Windows logs the logon attempt with logon type 10. (Prior to XP,
Windows 2000 doesn’t use logon type 10 and Terminal Services logons are reported
as logon type 2.)

CachedInteractive
Type 11 Cached logons facilitate mobile users. Windows caches a hash of the last 10
interactive domain logon credentials . Later, when you are not connected to your
organization’s network and attempt to logon to your laptop with a domain account
and there’s no domain controller available for verification, Windows uses these hashes
to verify your identity.

[print version]

You might also like