Logon Types are logged in the Logon Type field of logon events for every successful and failed logons). These events appear in the Windows event log and helps in analysing the various logon types.
The following logon types are supported in the Windows environment which are a total of nine different types of logons. Here are the most common logon types are;
1: Interactive logon: This is also referred to as logon type 2 and it is used at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen with a local or domain account.
2: Network logon: This is also referred to as logon type 3. This logon occurs when you access remote file shares or printers.
Note: The Internet Information Services [IIS] are classified as logon type 3 (network logon), but for IIS logons that utilises the basic authentication protocol, it logs event as logon type 8.
3: Batch logon: This is also referred to as logon type 4. This is used for scheduled tasks execution. When the Windows Scheduler service fires up a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created. It is worth nothing that, other similar form of scheduling may also generate this similar event log type 4.
4: Service logon: This is also referred to as logon type 5. This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.
5: Unlock: This is also referred to as logon type 7. This is used whenever you unlock your Windows machine via the console.
6: Network clear text logon: This is also referred to as logon type 8. This is used when you log on over a network and the password is sent in clear text. Here is an example of using basic authentication to
authenticate to an IIS server etc.
7: New credentials-based logon: This is also referred to as logon type 9, This is used when you run a program (application) as a different user,
i.e., using the run as command and specify the /netonly switch. When you start a program with run as using /netonly, the program runs in a new logon session of the current logged on user (i.e., the same local identity).
In other words, this is the identity of the user you are currently logged on with but with a different credentials (the ones specified in the run as command) for other network connections. Without /netonly, windows runs the program on the local computer and on the network as the user specified in the run as command, and logs the logon event with type 2.
8: Remote Interactive logon: This is also referred to as logon type 10. This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.
9: Cached Interactive logon: This is also referred to as logon type 11. This is logged when users log on using cached credentials when users are off the network or when the domain controller (DC) is not available.
Note: Windows caches credentials hashes of the last 10 interactive domain logons by default you can still log on to your local machine using your domain credentials.
Having a good knowledge of various logon types will help you in analysing various logon types your come across in your organisation. See also for additional information the following link1 and link2.
I hope you found this article useful. If you have any questions, kindly let me know via the comment session.