Windows Security Log Event ID 4647

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
 • Logoff
Type Success
Corresponding events
in Windows 2003
and before
Discussions on Event ID 4647
How to puch events 4647, 4634, 551, and 538 to a domain controller event log?
Cause of an unprompted 4647 Logoff event at the same time everyday.

4647: User initiated logoff

On this page

Also see 4634. This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.
This event seems to be in place of 4634 in the case of Interactive and RemoteInteractive (remote desktop) logons.  This is a plus since it makes it easier to distinguish between logoffs resulting from an idle network session and logoffs where the user actually logs off with from his console.

Free Security Log Resources by Randy

Description Fields in 4647


  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.



Examples of 4647

User initiated logoff:

Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x19f4c

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed.  No further user-initiated activity can occur.  This event can be interpreted as a logoff event.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources