Windows Security Log Event ID 4647

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Logon/Logoff
 • Logoff
Type Success
Corresponding events
in Windows 2003
and before
551  

4647: User initiated logoff

On this page

Also see 4634. This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.
This event seems to be in place of 4634 in the case of Interactive and RemoteInteractive (remote desktop) logons.  This is a plus since it makes it easier to distinguish between logoffs resulting from an idle network session and logoffs where the user actually logs off with from his console.

Free Security Log Resources by Randy

Description Fields in 4647

Subject:

  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Supercharger Enterprise


 

Examples of 4647

User initiated logoff:

Subject:
  
Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x19f4c


This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed.  No further user-initiated activity can occur.  This event can be interpreted as a logoff event.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!