|
Operating Systems
|
Windows Server 2000
Windows XP
Windows Server 2003
|
|
Category
|
Logon/Logoff
|
|
Type
|
Success
|
Corresponding events
in Windows
2008
and Vista
|
4624
|
528:
Successful Logon
On this page
Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons (see event 540). Event 528 is logged whether the account used for logon is a local SAM account or a domain account.
Logon types possible:
|
Logon Type
|
Description
|
|
2
|
Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
|
|
3
|
Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon - Never logged by 528 on W2k and forward. See event 540) |
|
4
|
Batch (i.e. scheduled task) |
|
5
|
Service (Service startup) |
|
7
|
Unlock (i.e. unnattended workstation with password protected screen saver) |
|
8
|
NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. |
|
9
|
NewCredentials |
|
10
|
RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
|
11
|
CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) |
For an explanation of the Logon Process field, see event 515. For an explanation of the Authentication Package field, see event 514.
Logon GUID is not documented. It is unclear what purpose the Caller User Name, Caller Process ID, and Transited Services fields serve.
Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.
Logon ID is useful for correlating to many other events that occurr during this logon session.
Free Security Log Quick Reference Chart