Logon Types are logged in the Logon Type field of logon events for every successful and failed logons). These events appear in the Windows event log and help in analyzing the various logon types. The following logon types are supported in the Windows environment which is a total of nine different types of logons. Kindly refer to some other guides I have written: How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to uninstall your current version of MBAM and run setup again, how to clear, enable or disable TPM in Windows via the BIOS or UEFI, how to enable Bitlocker Pre-Boot Authentication via the Group Policy, and BitLocker Drive Encryption architecture and implementation types on Windows
Kindly refer to these related guides: Error 1385: The user has not been granted the requested logon type at this time.
- Here are the most common logon types are; 1: Interactive logon: This is also referred to as logon type 2 and it is used at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen with a local or domain account.
2: Network logon: This is also referred to as logon type 3. This logon occurs when you access remote file shares or printers.
Note: The Internet Information Services [IIS] are classified as logon type 3 (network logon), but for IIS logons that utilize the basic authentication protocol, it logs events as logon type 8.
3: Batch logon: This is also referred to as logon type 4. This is used for scheduled tasks execution. When the Windows Scheduler service fires up a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created. It is worth noting that, another similar form of scheduling may also generate this similar event log type 4.
4: Service logon: This is also referred to as logon type 5. This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.
5: Unlock: This is also referred to as logon type 7. This is used whenever you unlock your Windows machine via the console.
6: Network clear text logon: This is also referred to as logon type 8. This is used when you log on over a network and the password is sent in cleartext. Here is an example of using basic authentication to authenticate to an IIS server etc.
7: New credentials-based logon: This is also referred to as logon type 9, This is used when you run a program (application) as a different user,
i.e., using the run as command and specify the /netonly switch. When you start a program with run as using /netonly, the program runs in a new logon session of the currently logged-on user (i.e., the same local identity).
In other words, this is the identity of the user you are currently logged on with but with different credentials (the ones specified in the run as a command) for other network connections. Without /netonly, windows run the program on the local computer and on the network as the user specified in the run as command and logs the logon event with type 2.
8: Remote Interactive logon: This is also referred to as logon type 10. This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.
9: Cached Interactive logon: This is also referred to as logon type 11. This is logged when users log on using cached credentials when users are off the network or when the domain controller (DC) is not available.
Note: Windows caches credentials hashes of the last 10 interactive domain logons by default you can still log on to your local machine using your domain credentials.
Having a good knowledge of various logon types will help you in analyzing various logon types you come across in your organization. See also for additional information the following link1 and link2.
I hope you found this article useful. If you have any questions, kindly let me know via the comment session.