In this article, you will learn about the different Windows Logon Types. Logon Types are logged in the Logon Type field of logon events for every successful and failed login). These events appear in the Windows event log and help in analyzing the various logon types. The following logon types are supported in the Windows environment which is a total of nine different types of logons. Kindly refer to some other guides I have written: How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to uninstall your current version of MBAM and run setup again, and how to clear, enable or disable TPM in Windows via the BIOS or UEFI.
In a remote administration scenario, credentials are always exposed on the source computer so a trustworthy privileged access workstation (PAW) is always recommended for sensitive or high impact accounts. Whether credentials are exposed to potential theft on the target (remote) computer depends primarily on the windows logon type used by the connection method.
Kindly refer to these related guides: how to enable Bitlocker Pre-Boot Authentication via the Group Policy, and BitLocker Drive Encryption architecture and implementation types on Windows, and how to fix Error 1385: The user has not been granted the requested logon type at this time.
Common Windows Logon Types
In Windows-based computers, all authentications are processed as one of several logon types, regardless of which authentication protocol or authenticator is used
1: Interactive logon
This is also referred to as logon type 2 and it is used at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen with a local or domain account.
2: Network logon
This is also referred to as logon type 3. This logon occurs when you access remote file shares or printers.
Note: The Internet Information Services [IIS] are classified as logon type 3 (network logon), but for IIS logons that utilize the basic authentication protocol, it logs events as logon type 8.
3: Batch logon
This is also referred to as logon type 4. This is used for scheduled task execution. When the Windows Scheduler service fires up a scheduled task. It first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created. It is worth noting that, another similar form of scheduling may also generate this similar event log type 4.
4: Service logon
This is also referred to as logon type 5. This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.
This is also referred to as logon type 7. This is used whenever you unlock your Windows machine via the console.
Logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. When a user unlocks the computer, Windows creates a new logon session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634).
6: Network clear text logon
This is also referred to as logon type 8. This is used when you log on over a network and the password is sent in cleartext. Here is an example of using basic authentication to authenticate to an IIS server etc.
Please see How to fix “The sign-in method you are trying to use is not allowed: For more information, contact your network administrator“. Also, see Auto Logon: Enable Automatic Logon on Windows 10, and how to fix The logon attempt failed for the remote desktop connection.
7: New credentials-based logon
This is also referred to as logon type 9. This is used when you run a program (application) as a different user. I.e., using the run as command and specify the /netonly switch.
When you start a program with run as using /netonly. The program runs in a new logon session of the currently logged-on user (i.e., the same local identity).
In other words, this is the identity of the user you are currently logged on with but with different credentials (the ones specified in the run as a command) for other network connections.
Without /netonly, windows run the program on the local computer and on the network as the user specified in the run as command and logs the logon event with type 2.
8: Remote Interactive logon
This is also referred to as logon type 10. This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.
9: Cached Interactive logon
This is also referred to as logon type 11. This is logged when users log on using cached credentials when users are off the network. Or when the domain controller (DC) is not available.
Note: Windows caches credentials hashes of the last 10 interactive domain logons by default you can still log on to your local machine using your domain credentials.
Having a good knowledge of various logon types will help you in analyzing various logon types of errors. Please see What are the merits and demerits of Local System Account and Service Logon Account.
I hope you found this article useful. If you have any questions, kindly let me know via the comment session.