EditAn account was logged off.
Also see event ID
4647 which Windows logs instead of this event in the case of interactive logons when the user logs out.
This event signals the end of a logon session and can be correlated back to the logon event
4624 using the Logon ID.
For network connections (such as to a file server), it will appear that users log on and off many times a day. This phenomenon is caused by the way the Server service terminates idle connections.
If a user turns off his/her computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events are logged much later than the time at which they actually occur.
ANONYMOUS LOGONs are routine events on Windows networks.
Microsoft's comments:
This event does not necessarily indicate the time that a user has stopped using a system. For example, if the computer is shut down or loses network connectivity it may not record a logoff event at all.
Logon Type: indicates how the user was logged on. See
4624 for explanation of these codes.
EditExamples
An account was logged off.
Subject:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x149be
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
EditMore Resources