Windows Security Logon Types
Event 528 and Event 540 are the Logon events. Event 528 is for all logons except “network” logons. “Network” logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials may have come from over the network. All event 540’s are logon type 3.
Resource: http://msdn.microsoft.com/en-us/library/aa380129.aspx
Resource: http://msdn.microsoft.com/en-us/library/aa394189.aspx
Resource: http://blogs.msdn.com/b/ericfitz/archive/2004/12/09/279282.aspx
| Logon type | Logon title | Description |
|---|---|---|
| 2 | Interactive | A user logged on to this computer at the console. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes might run on behalf of a user without the user’s direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication. |
| 9 | NewCredentials | A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
