Windows Logon Types
Logon types appear in Windows Security event logs (Event IDs 4624, 4625) and indicate how a user or process authenticated to the system. Understanding logon types is essential for security monitoring, incident response, and forensic analysis.
Quick Reference
| Type | Name | Description |
|---|---|---|
| 2 | Interactive | Local keyboard/console logon |
| 3 | Network | Access from network (SMB, etc.) |
| 4 | Batch | Scheduled task execution |
| 5 | Service | Service started by SCM |
| 7 | Unlock | Workstation unlock |
| 8 | NetworkCleartext | Network logon with cleartext password |
| 9 | NewCredentials | RunAs /netonly (cloned token) |
| 10 | RemoteInteractive | RDP/Terminal Services |
| 11 | CachedInteractive | Domain logon with cached credentials |
Detailed Descriptions
Logon Type 2: Interactive
Description: A user logged on to this computer locally.
An event with logon type 2 occurs when a user logs on (or attempts to log on) locally, such as typing username and password at the Windows logon prompt.
Key Points:
- Occurs for both local and domain account logons
- For domain accounts, this type appears only when the user actually authenticates against a domain controller
- If the DC is unavailable but valid cached credentials exist, Windows logs type 11 instead
Common Scenarios:
- User logs on at the physical console
- Fast User Switching between accounts (generates type 2, not type 7)
Logon Type 3: Network
Description: A user or computer logged on to this computer from the network.
This event is logged when someone accesses a computer from the network, commonly when connecting to shared resources.
Key Points:
- Most common for accessing shared folders, printers, etc.
- Can be established even from the local computer (e.g.,
net use \\localhost\share) - No interactive session is created
Common Scenarios:
- Mapping network drives
- Accessing file shares (SMB)
- WMI remote queries
- Many admin tools that connect remotely
Security Note: Pass-the-Hash attacks typically generate type 3 logon events.
Logon Type 4: Batch
Description: Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
This event occurs when a scheduled task is started.
Key Points:
- Windows Task Scheduler creates a new logon session to execute tasks
- If a task is configured to run only when a user is logged on, no new session is created
- Related events: 4648 (explicit credentials), 4624/4625 (logon success/failure)
Common Scenarios:
- Scheduled tasks running under a specific user account
- Batch job execution
Logon Type 5: Service
Description: A service was started by the Service Control Manager.
When Windows starts a service configured to log on as a user, it creates a new logon session.
Key Points:
- Only occurs for services using standard user accounts
- Does NOT occur for special accounts:
- Local System
- NT AUTHORITY\LocalService
- NT AUTHORITY\NetworkService
- Logoff event (4634) is registered when the service stops
- Event description does NOT contain the service name (only shows services.exe)
Security Note: Audit Failure (4625) with type 5 commonly indicates the service account password was changed and needs to be updated in service configuration.
Logon Type 7: Unlock
Description: This workstation was unlocked.
Occurs when a user unlocks (or attempts to unlock) a previously locked workstation.
Key Points:
- Windows creates a new logon session and immediately closes it (with event 4634)
- Fast User Switching generates type 2 (Interactive), NOT type 7
- May generate 2 logon sessions depending on UAC elevation conditions
Security Note: Audit Failure (4625) with type 7 indicates either a typo or a potential brute-force attempt against a locked workstation.
Logon Type 8: NetworkCleartext
Description: A user logged on from the network with credentials passed in cleartext (unhashed form).
Key Points:
- Should rarely be seen in modern environments
- Credentials do NOT traverse the network in plaintext with built-in authentication packages
- Commonly associated with IIS basic authentication
Security Warning: Cleartext password transmission is dangerous. If basic authentication is required:
- Use SSL/TLS encryption
- Implement VPN
- Consider alternative authentication methods
Logon Type 9: NewCredentials
Description: A caller cloned its current token and specified new credentials for outbound connections.
Occurs when using runas /netonly - the new session uses current credentials locally but different credentials for network connections.
Key Points:
- Local identity remains the same
- Different credentials used for network connections
- Program runs even if wrong password is provided (uses cloned current credentials)
- Logoff event logged when application exits
- Remote server logs type 3 when the application accesses its resources
Example:
runas.exe /netonly /user:DOMAIN\Administrator "cmd.exe"
Use Cases:
- Running admin tools with elevated network permissions
- Accessing resources in different domains
- Testing connectivity with different credentials
Logon Type 10: RemoteInteractive
Description: A user logged on remotely using Terminal Services or Remote Desktop.
Similar to type 2 (Interactive) but the user connects from a remote machine via RDP.
Key Points:
- Generated for RDP sessions
- Terminal Services connections
- Remote Assistance sessions
Common Scenarios:
- Remote Desktop connections
- Terminal Server sessions
- Remote Assistance
Security Note: Monitor for unexpected type 10 events, especially from unusual source IPs or outside business hours.
Logon Type 11: CachedInteractive
Description: A user logged on with network credentials stored locally. The domain controller was not contacted.
When domain users log on and the DC is unavailable, Windows validates against cached credential hashes.
Key Points:
- Windows caches 10-25 last logon credentials by default (OS dependent)
- Can be increased up to 50 cached credentials
- Useful for laptops and mobile users
- DC is not contacted for validation
Security Implications:
- Cached credentials can be extracted with tools like Mimikatz
- Consider reducing the cache count on sensitive systems
- Registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
Security Monitoring Use Cases
Detecting Lateral Movement
| Indicator | Logon Type | Notes |
|---|---|---|
| Pass-the-Hash | 3 | Network logon from unexpected sources |
| RDP Lateral Movement | 10 | RemoteInteractive from internal hosts |
| PsExec-style tools | 3 | Network logon followed by service creation |
Detecting Credential Attacks
| Indicator | Logon Type | Notes |
|---|---|---|
| Brute Force (local) | 2, 7 | Multiple failures on same workstation |
| Brute Force (network) | 3 | Multiple type 3 failures from same source |
| Password Spray | 3 | Single failure across many accounts |
Suspicious Patterns
- Type 10 (RDP) from external IPs
- Type 9 (NewCredentials) on servers
- Type 8 (NetworkCleartext) anywhere
- Type 3 to sensitive servers from workstations
- Type 4/5 failures indicating misconfigured services
Related Event IDs
| Event ID | Description |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4634 | Logoff |
| 4647 | User initiated logoff |
| 4648 | Logon with explicit credentials |
| 4672 | Special privileges assigned |