Log-on type codes revealed

WindowSecurity.com - The log-on/log-off category of the Windows security log gives you the ability to monitor all attempts to access the local computer. In this article I'll examine each log-on type in greater detail and show you how some other fields in Logon/Logoff events can be helpful for understanding the nature of a given log-on attempt.
Event IDs 528 and 540 signify a successful log-on, event ID 538 a log-off and all the other events in this category identify different reasons for a log-on failure. However, just knowing about a successful or failed log-on attempt doesn't fill in the whole picture. Because of all the services Windows offers, there are many different ways you can log on to a computer, such as interactively at the computer's local keyboard and screen, over the network through a drive mapping or through terminal services (aka remote desktop) or through IIS. Thankfully, log-on/log-off events specify the Logon Type code, which reveals the type of log-on that prompted the event.
Log-on Type 2: Interactive
This is what occurs to you first when you think of log-ons, that is, a log-on at the console of a computer. You'll see these types of log-ons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer's local SAM.
To tell the difference between an attempt to log on with a local or domain account, look for the domain or computer name preceding the user name in the event's description. Don't forget that log-on's through a KVM over IP component or a server's proprietary "lights-out" remote KVM feature are still interactive log-ons from the standpoint of Windows and will be logged as such.
Log-on Type 3: Network
Windows logs log-on type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of log-on events with log-on type 3 is connections to shared folders or printers. But other over-the-network log-ons are classed as log-on type 3 as well such as most log-ons to IIS. (The exception is basic authentication which is explained in Log-on Type 8 below.)
Log-on Type 4: Batch
When Windows executes a scheduled task, the Scheduled Task service first creates a new log-on session for the task so that it can run under the authority of the user account specified when the task was created. When this log-on attempt occurs, Windows logs it as log-on type 4. Other job scheduling systems, depending on their design,

Reprinted with permission from

For more security news visit WindowSecurity.com
Story copyright 2006 WindowSecurity.com. All rights reserved.