2024年4月14日发(作者:)

Windows Logon Type的含义是什么?

我只是把主要的内容整理了一下备查。

Logon type 2 Interactive 本地交互登录。最常见的登录方式。

Logon type 3 Network 网络登录 - 最常见的是访问网络共享文件夹或打印机。IIS的认证也是Type 3

Logon type 4 Batch 计划任务

Logon Type 5 Service 服务

某些服务是用一个域帐号来运行的,出现Failure常见的情况是管理员更改了域帐号密码,但是忘记重设Service中的

帐号密码。

Logon Type 7 Unlock 解除屏幕锁定

很多公司都有这样的安全设置:当用户离开屏幕一段时间后,屏保程序会锁定计算机屏幕。解开屏幕锁定需要键入用户

名和密码。此时产生的日志类型就是Type 7

Logon Type 8 NetworkCleartext 网络明文登录 -- 通常发生在IIS 的 ASP登录。不推荐

Logon Type 9 NewCredentials 新身份登录 -- 通常发生在RunAS方式运行某程序时的登录验证。

Logon Type 10 RemoteInteractive 远程登录 -- 比如Terminal service或者RDP方式。但是Windows 2000是没有Type10

的,用Type 2。WindowsXP/2003起有Type 10

Logon Type 11 CachedInteractive 缓存登录

为方便笔记本电脑用户,Windows会缓存前10次成功登录的登录。

附原文:

The logon/logoff category of the Windows security log gives you the ability to monitor all attempts to access

the local computer. In this article I’ll examine each logon type in greater detail and show you how some

other fields in Logon/Logoff events can be helpful for understanding the nature of a given logon attempt.

Event IDs 528 and 540 signify a successful logon, event ID 538 a logoff and all the other events in this category

identify different reasons for a logon failure. However, just knowing about a successful or failed logon attempt

doesn’t fill in the whole picture. Because of all the services Windows offers, there are many different ways

you can logon to a computer such as interactively at the computer’s local keyboard and screen, over the network

through a drive mapping or through terminal services (aka remote desktop) or through IIS. Thankfully,

logon/logoff events specify the Logon Type code which reveals the type of logon that prompted the event.

Logon Type 2 – Interactive

This is what occurs to you first when you think of logons, that is, a logon at the console of a computer.

You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain

account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon

with a local or domain account look for the domain or computer name preceding the user name in the event’s

description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary

“lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be

logged as such.

Logon Type 3 – Network

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the

most common sources of logon events with logon type 3 is connections to shared folders or printers. But other

over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is

basic authentication which is explained in Logon Type 8 below.)

Logon Type 4 – Batch

When Windows executes a scheduled task, the Scheduled Task service first creates a new logon session for the

task so that it can run under the authority of the user account specified when the task was created. When

this logon attempt occurs, Windows logs it as logon type 4. Other job scheduling systems, depending on their

design, may also generate logon events with logon type 4 when starting jobs. Logon type 4 events are usually

just innocent scheduled tasks startups but a malicious user could try to subvert security by trying to guess

the password of an account through scheduled tasks. Such attempts would generate a logon failure event where

logon type is 4. But logon failures associated with scheduled tasks can also result from an administrator

entering the wrong password for the account at the time of task creation or from the password of an account

being changed without modifying the scheduled task to use the new password.

Logon Type 5 – Service

Similar to Scheduled Tasks, each service is configured to run as a specified user account. When a service

starts, Windows first creates a logon session for the specified user account which results in a Logon/Logoff

event with logon type 5. Failed logon events with logon type 5 usually indicate the password of an account

has been changed without updating the service but there’s always the possibility of malicious users at work

too. However this is less likely because creating a new service or editing an existing service by default

requires membership in Administrators or Server Operators and such a user, if malicious, will likely already

have enough authority to perpetrate his desired goal.