Windows Security Log Event ID 528

Operating Systems	Windows Server 2000 Windows 2003 and XP
Category	Logon/Logoff
Type	Success
Corresponding events in Windows 2008 and Vista	4624

528: Successful Logon

On this page

Description of this event
Field level details
Examples

Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons (see event 540). Event 528 is logged whether the account used for logon is a local SAM account or a domain account.

Logon types possible:

Logon Type	Description
2	Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
3	Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon - Never logged by 528 on W2k and forward. See event 540)
4	Batch (i.e. scheduled task)
5	Service (Service startup)
7	Unlock (i.e. unnattended workstation with password protected screen saver)
8	NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information.
9	NewCredentials
10	RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11	CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

For an explanation of the Logon Process field, see event 515. For an explanation of the Authentication Package field, see event 514.
Logon GUID is not documented. It is unclear what purpose the Caller User Name, Caller Process ID, and Transited Services fields serve.

Source Network Address corresponds to the IP address of the Workstation Name. Source Port is the TCP port of the workstation and has dubious value.

Logon ID is useful for correlating to many other events that occurr during this logon session.

Free Security Log Resources by Randy

Description Fields in 528

User Name:
Domain:
Logon ID: useful for correlating to many other events that occurr during this logon session
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7

The following field is not logged in Window 2000:

Logon GUID

The following fields are not logged in Windows 2000 or XP:

Caller User Name:
Caller Domain:
Caller Logon ID:
Caller Process ID:
Transited Services:
Source Network Address:
Source Port:

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

Examples of 528

Successful Logon:

User Name:administrator

Domain:ELM
Logon ID:(0x0,0x558DD)
Logon Type:2
Logon Process:User32
Authentication Package:Negotiate
Workstation Name:W2MS
Windows XP and Windows Server 2003 add:
Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: -
Transited Services: -
Source Network Address:10.42.42.170
Source Port:3165

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 528

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

October 2025 Patch Tuesday	"Patch Tuesday - 172 Updates Today and 6 Zero-Days! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.