Windows Security Log Event ID 4647

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
 • Logoff
Type Success
Corresponding events
in Windows 2003
and before

4647: User initiated logoff

On this page

Also see 4634. This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.
This event seems to be in place of 4634 in the case of Interactive and RemoteInteractive (remote desktop) logons.  This is a plus since it makes it easier to distinguish between logoffs resulting from an idle network session and logoffs where the user actually logs off with from his console.

Free Security Log Resources by Randy

Description Fields in 4647


  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 4647

User initiated logoff:

Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x19f4c

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed.  No further user-initiated activity can occur.  This event can be interpreted as a logoff event.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources