How much do you know about the secret Windows logon type in the log? _win Server
Source: Internet
Author: User
Yes, in order for you to get more valuable information from the log, Windows has broken down many types of logins so that you can tell whether the logged-in person is logged on locally, logged on from the network, and other ways of logging in. Knowing these logins will help you detect suspicious hacker behavior from the event log and be able to determine how it is attacked. Let's take a look at the type of Windows login in more detail.
Login Type 2: Interactive login (Interactive)
This should be your first thought of the login method, the so-called interactive logon means that the user in the computer's console on the login, that is, the local keyboard on the login, but do not forget the KVM login still belongs to the interactive login, although it is based on the network.
Login Type 3: Network (Network)
When you ask a computer from a network petition in most cases, Windows is type 3, and the most common scenario is when you connect to a shared folder or share a printer. In most cases, this type is also recorded when you log on to IIS over the network, but the IIS login for the Basic authentication method is an exception, and it will be recorded as type 8, as described below.
Login Type 4: Batch processing (Batch)
When Windows runs a scheduled task, the the scheduled task service will first create a new logon session for this task so that it can run under the user account configured for this scheduled task, and when this login occurs, Windows is recorded as type 4 in the log, and for other types of work task systems, Depending on its design, you can also generate type 4 logon events When you start work, and type 4 logins usually indicate that a scheduled task is started, but it may also be a malicious user who is planning a task to guess the user's password, which will result in a Type 4 logon failure event, However, this failed login may also be due to the fact that the user's password for the scheduled task failed to synchronize the changes, such as the user's password changed and forgot to make changes in the scheduled task.
Login Type 5: Services (Service)
Similar to the scheduled task, each service is configured to run under a specific user account, and when a service starts, Windows first creates a login session for that particular user, which is recorded as type 5, and the failure type 5 usually indicates that the user's password has changed and is not updated here. Of course, this may also be caused by malicious user password guessing, but this possibility is relatively small, because the creation of a new service or edit an existing service by default is required to be an administrator or serversoperators identity, and this identity of malicious users, have enough ability to do his bad things, no need to bother to guess the service password.
Login Type 7: Unlock (Unlock)
You might want the workstation to automatically start a password-protected screensaver when a user leaves his computer. When a user comes back to unlock, Windows considers the unlock operation to be a type 7 login, and the failed type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer.
Login Type 8: Network plaintext (Networkcleartext)
This login indicates a network login like Type 3, but the password for this login is transmitted through clear text on the network, and the WindowsServer service is not allowed to connect to the shared folder or printer through plaintext authentication. As far as I know, this type of logon is only when you log on from an ASP script that uses ADVAPI or if a user logs on to IIS using Basic authentication. The ADVAPI is listed in the Login procedure column.
Login Type 9: New voucher (newcredentials)
When you run a program using the runas command with the/netonly parameter, runas runs it with the locally currently logged-on user, but if the program needs to connect to another computer on the network, it will connect to the user specified in the runas command. Windows will also record this login as type 9, and if the runas command does not have the/netonly parameter, the program will run with the specified user, but the login type in the log is 2.
Login Type 10: remote interaction (remoteinteractive)
When you access a computer through Terminal Services, Remote Desktop, or Remote Assistance, Windows will be recorded as type 10 to distinguish it from a true console login, noting that the previous version of XP does not support this type of login, for example, Windows2000 still registers Terminal Services with type 2.
Login Type 11: Cache interaction (Cachedinteractive)
Windows supports a feature called cache logons that is especially beneficial for mobile users, such as when you are logged on as a domain user outside your network and you cannot log on to a domain controller, Windows caches the last 10 interactive domain logon voucher hashes by default. If you later log on as a domain user and no domain controller is available, Windows will use these hashes to verify your identity.
The Windows logon type is described above, but by default Windows2000 does not record the security log, you must first enable "Audit logon events" under the Group Policy "Computer Configuration/windows Settings/security Settings/Local Policy/audit policy" to see the record information above. Hope that these detailed records of information to help you better grasp the system situation, maintain network stability.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.