Logon Type Codes

Windows Server 2000, Windows XP, Windows Server 2003 işletim sistemleri üzerindeki event lara bakarsanız eğer 528 ve 540 nolu eventlar başarılı logon işlemlerini göstermektedir ( windows vista ve 2008 de bu event id 4624 ile değişmiş ancak logon type bölümü aynı kalmıştır.. Ancak siz bu logon işlemini nereden gerçekleştiğini öğrenmek için bu event içerisindeki logon type değerini kontrol etmelisiniz.
örnek bir event

Successful Logon:

User Name:administrator

Domain:ELM
Logon ID:(0x0,0x558DD)
Logon Type:2
Logon Process:User32
Authentication Package:Negotiate
Workstation Name:W2MS
Windows XP and Windows Server 2003 add:
Logon GUID:{d39697e4-34a9-b3e0-f30a-d2ba517eb4a2}
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID: –
Transited Services: –
Source Network Address:10.42.42.170
Source Port:3165

Logon type karşılığındaki numaraları anlamak için aşağıdaki tabloyu kullanabilirsiniz.

Logon Type
Description
2
Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
3
Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event 540)
4
Batch (i.e. scheduled task)
5
Service (Service startup)
7
Unlock (i.e. unnattended workstation with password protected screen saver)
8
NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”) See this article for more information.
9
NewCredentials
10
RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11
CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)