Windows Security Log Event ID 4647

This Page is locked
Modified: 2008/01/14 17:42 by Randy Franklin Smith - Categorized as: Security Log Events

Table of Contents [Hide/Show]


Edit

User initiated logoff

Operating SystemsWindows Server 2008
CategoryLogon/Logoff
SubcategoryLogoff
TypeSuccess
Legacy Events 538

Also see 4634. This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.
This event seems to be in place of 4634 in the case of Interactive and RemoteInteractive (remote desktop) logons.  This is a plus since it makes it easier to distinguish between logoffs resulting from an idle network session and logoffs where the user actually logs off with from his console.

Edit

Examples

User initiated logoff:

Subject:
Security ID:  WIN-R9H529RIO4Y\Administrator
Account Name:  Administrator
Account Domain:  WIN-R9H529RIO4Y
Logon ID:  0x19f4c

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed.  No further user-initiated activity can occur.  This event can be interpreted as a logoff event.

Edit

More Resources


Upcoming Webinars by Randy Franklin Smith

The Challenge and Benefits of Normalizing Log Data from Disparate Systems

IT Audit: Assessing and Auditing the Windows/Active Directory Environment


Additional Links

A
D
V

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, All rights reserved. Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. Terms and conditions.