Yes, Windows, in order to get more valuable information from the log, It is subdivided into many types of logon, so that you can tell whether the login is from a local or from a network, and other logon methods. By understanding these logon methods, you can discover suspicious hacker behaviors from Event Logs and determine the attack methods. Next we will take a detailed look at the Windows login type.
Logon type 2: Interactive)
This should be your first login method. The so-called interactive login refers to the user's login on the computer console, that is, the login on the local keyboard, but do not forget that using KVM logon is still an interactive logon, although it is network-based.
Logon type 3: Network)
When you access a computer from the network, Windows is marked as type 3 in most cases. The most common case is to connect to a shared folder or share a printer. In most cases, IIS logon over the network is also recorded as this type, but the basic authentication mode is an exception. It will be recorded as type 8, which will be described below.
Logon type 4: Batch)
When Windows runs a scheduled task, the scheduled Task Service creates a new logon session for the task so that it can run under the user account configured for the scheduled task, when such logon occurs, Windows logs are marked as type 4. For other types of work task systems, it depends on its design, you can also generate type 4 logon events when you start work. Type 4 logon usually indicates that a scheduled task is started, but it may also be a malicious user who guesses the user password by planning the task, this kind of attempt will generate a logon failure event of type 4, but this type of Logon Failure may also be caused by the failure to synchronize the user password of the scheduled task, such as the change of the user password, I forgot to make changes in the scheduled task.
Logon type 5: Service)
Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for this specific user, this will be recorded as type 5. The failure type 5 usually indicates that the user's password has changed and is not updated here. Of course, this may also be caused by malicious user password guesses, however, this possibility is relatively small, because creating a new service or editing an existing service requires the administrator or serversoperators identity by default, and this identity is a malicious user, there is enough capacity to do his bad things, and it is no longer necessary to guess the service password.
Logon type 7: Unlock)
You may want a user to automatically start a password-protected screen saver when they leave his computer. When a user returns to unlock, in Windows, this unlock operation is considered to be a type 7 login. A type 7 login failure indicates that someone has entered the wrong password or someone is trying to unlock the computer.
Logon type 8: Network plaintext (NetworkCleartext)
This type of Logon indicates that this is a network login like type 3, but the login password is transmitted in plaintext over the network, windows server does not allow you to connect to a shared folder or printer through plaintext verification, as far as I know, this type of logon is only possible if you log on from an ASP script using Advapi or a user logs on to IIS using basic authentication. The "Logon Process" column lists Advapi.
Logon type 9: NewCredentials)
When you use the RUNAS command with the/Netonly parameter to run a program, RUNAS runs it as the local current login user, but if this program needs to be connected to other computers on the network, in this case, the user specified in the RUNAS command is connected, and Windows records this type of Logon As type 9. If the RUNAS command does not contain the/Netonly parameter, the program runs as the specified user, but the log logon type is 2.
Logon type 10: RemoteInteractive)
When you access your computer through Terminal Services, Remote Desktop, or remote assistance, Windows is counted as type 10, which is different from real console logon. Note that versions earlier than XP do not support this type of logon, for example, windows still records terminal service logon as type 2.
Logon type 11: cache Interaction)
Windows supports a function called cache logon, which is especially beneficial to mobile users. For example, if you log on from a domain user outside your network and cannot renew the domain controller, this function is used, by default, Windows caches the HASH of the last 10 interactive domain logon credenhash, windows will use these hashes to verify your identity.
The above describes the login type of Windows, but by default, Windows does not record security logs, you must first enable the "Audit Logon Events" under the "Computer Configuration/Windows Settings/Security Settings/Local Policies/audit policies" group policy to view the above record information. We hope that these detailed records will help you better understand the system situation and maintain network stability.
