Forums/getfile/436059' alt='Microsoft Windows Security Auditing 4624 Anonymous Logon Windows' title='Microsoft Windows Security Auditing 4624 Anonymous Logon Windows' />S An account was successfully logged on. Windows 1. 0Applies to. Windows 1. 0Windows Server 2. Subcategory Audit Logon. Event Description This event generates when a logon session is created on destination machine. It generates on the computer that was accessed, where the session was created. Note  For recommendations, see Security Monitoring Recommendations for this event. Event XML lt Event xmlnshttp schemas. System. lt Provider NameMicrosoft Windows Security Auditing Guid5. A5. BA 3. E3. B0. C3. 0D. lt Event. ID 4. 62. 4lt Event. ID. lt Version 2lt Version. Level 0lt Level. Task 1. Task. Opcode 0lt Opcode. Keywords 0x. 80. I have been asked to find out when a user has logged on to the system in the last week. Now the audit logs in Windows should contain all the info I need. I think if I. Keywords. Time. Created System. Time2. T0. 0 2. 4 3. Z. lt Event. Record. ID 2. Event. Record. ID. Correlation Activity. ID0. 0D6. 66. 90 1. CDF 0. 00. 0 AC6. D6. 00. DF1. CD1. Execution Process. ID7. 16 Thread. ID7. Channel Securitylt Channel. Computer WIN GG8. ULGC9. GOlt Computer. Security. lt System. Event. Data. lt Data NameSubject. User. Sid S 1 5 1. Data. lt Data NameSubject. User. Name WIN GG8. Microsoft Windows Security Auditing 4624 Anonymous Logon Windows' title='Microsoft Windows Security Auditing 4624 Anonymous Logon Windows' />ULGC9. GOlt Data. Data NameSubject. Domain. Name WORKGROUPlt Data. Data NameSubject. Logon. Id 0x. Data. Data NameTarget. User. Sid S 1 5 2. Data. Data NameTarget. User. Name Administratorlt Data. Data NameTarget. Domain. Name WIN GG8. ULGC9. GOlt Data. Data NameTarget. Logon. Id 0x. Data. Data NameLogon. Type 2lt Data. Data NameLogon. Process. Name User. Data. lt Data NameAuthentication. Package. Name Negotiatelt Data. Data NameWorkstation. Name WIN GG8. ULGC9. GOlt Data. Data NameLogon. Guid 0. 00. Data. Data NameTransmitted. Services lt Data. Data NameLm. Package. Name lt Data. Data NameKey. Length 0lt Data. Data NameProcess. Id 0x. 44clt Data. Data NameProcess. Name C WindowsSystem. Data. lt Data NameIp. Address 1. 27. Data. Data NameIp. Port 0lt Data. Data NameImpersonation. Level 1. 83. Data. Data NameRestricted. Admin. Mode lt Data. Data NameTarget. Outbound. User. Name lt Data. Data NameTarget. If a user turns off hisher computer, Windows does not have an opportunity to log the logoff event until the system restarts. Therefore, some logoff events. Harden Windows 10 A Security Guide gives detailed instructions on how to secure Windows 10 machines and prevent it from being compromised. We will harden the system. Describes security event 4624S An account was successfully logged on. Microsoft Windows Security Auditing 4624 Anonymous Logon Windows' title='Microsoft Windows Security Auditing 4624 Anonymous Logon Windows' />Outbound. Domain. Name lt Data. Data NameVirtual. Account 1. Data. lt Data NameTarget. Linked. Logon. Id 0x. Data. lt Data NameElevated. Token 1. 84. Data. Event. Data. lt Event. Required Server Roles None. Minimum OS Version Windows Server 2. Windows Vista. Event Versions 0 Windows Server 2. Windows Vista. 1 Windows Server 2. Description In this article I am going to explain about how to add desktop shortcut icon through group policy. This is a very common task in any domain environment. I am running Windows 7 Professional, all Windows Updates current and Kaspersky Internet Security installed. I have been examining the Security logs in Event Viewer. Describes security event 4672S Special privileges assigned to new logon. Windows 8. Added Impersonation Level field. Windows 1. 0. Added Logon Information section. Logon Type moved to Logon Information section. Added Restricted Admin Mode field. Added Virtual Account field. Added Elevated Token field. Added Linked Logon ID field. Added Network Account Name field. Added Network Account Domain field. Field Descriptions Subject Security ID Type SID SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. Note  A security identifier SID is a unique value of variable length used to identify a trustee security principal. Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers. Account Name Type Unicode. String the name of the account that reported information about successful logon. Account Domain Type Unicode. Mommy Son Clips4sale. String subjects domain or computer name. Formats vary, and include the following Domain NETBIOS name example CONTOSOLowercase full domain name contoso. Uppercase full domain name CONTOSO. LOCALFor some well known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is NT AUTHORITY. For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example Win. Logon ID Type Hex. Int. 64 hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, 4. S Special privileges assigned to new logon. Logon Information Version 2 Logon Type Version 0, 1, 2 Type UInt. The table below contains the list of possible values for this field. Logon types and descriptions. Logon Type. Logon Title. Description. 2Interactive. A user logged on to this computer. Network. A user or computer logged on to this computer from the network. Batch. Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. Service. A service was started by the Service Control Manager. Unlock. This workstation was unlocked. Network. Cleartext. A user logged on to this computer from the network. The users password was passed to the authentication package in its unhashed form. The built in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext also called cleartext. New. Credentials. A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. Remote. Interactive. A user logged on to this computer remotely using Terminal Services or Remote Desktop. Cached. Interactive. A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. Restricted Admin Mode Version 2 Type Unicode. String Only populated for Remote. Interactive logon type sessions. This is a YesNo flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win. R2 but this flag was added to the event in Win. Reference http blogs. If not a Remote. Interactive logon, then this will be string. Virtual Account Version 2 Type Unicode. String a Yes or No flag, which indicates if the account is a virtual account e. Managed Service Account, which was introduced in Windows 7 and Windows Server 2. R2 to provide the ability to identify the account that a given Service uses, instead of just using Network. Service. Elevated Token Version 2 Type Unicode. String a Yes or No flag. If Yes then the session this event represents is elevated and has administrator privileges. Impersonation Level Version 1, 2 Type Unicode. String can have one of these four values Security. Anonymous displayed as empty string The server process cannot obtain identification information about the client, and it cannot impersonate the client.