Event id 4634. 5 days ago · Learn about Windows Event ID 4779 from Security-Auditing. e the event 4624 immediately followed by the event id 4634. By searching earlier in the event log, a session end event (ID 4634) was found with the same Logon ID at 5:30PM on the same day. XXXXX Account Name: XXXXX. Log below: An account was successfully logged on. No further user-initiated activity can occur. local, even though I didn't attempt to log in. Sep 6, 2021 · The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated. Id -eq 4634 -and $. This event is generated when a logon session is terminated and no longer exists. While it doesn't directly indicate usage, in conjunction with logon events, it can help paint a picture of the account's activity patterns. Eventos de cierre de sesión (Event ID 4634 y 4647) Los eventos 4634 y 4647 se generan cuando un usuario cierra sesión en un controlador de dominio. Jul 27, 2016 · When looking at the 4634 event, you can see that the Logon Type property is now the 5th - so you may want to modify your query to something like: where { {$. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Jun 4, 2020 · In the Windows Logs > Security Event log I see event 4634 (Logoff) followed by 4776 (Credential Validation), 4672 (Special Login) and 4624 (Login) The every 5 minutes thing must mean something Windows Security Log Event ID 4634 4634: An account was logged off On this page Description of this event Field level details Examples Also see event ID 4647 which Windows logs instead of this event in the case of interactive logons when the user logs out. Jul 14, 2016 · Here, you can see that VDOC\Administrator account had logged in (ID 4624) on 6/13/2016 at 10:42 PM with a Logon ID of 0x144ac2. Windows Security Log Event ID 4634 4634: An account was logged off On this page Description of this event Field level details Examples Also see event ID 4647 which Windows logs instead of this event in the case of interactive logons when the user logs out. Test String An account was logged off. --- 🔹 Event ID 4634 – Logoff Event This event is generated when a user logs off from the system. Subject: Security ID: S-1-5-21-1295735054-2686911222-1107198153-1174 Account Name: companyowner Account Domain: COMPANY Logon ID: 0x2506E0E Logon Type: 3 This event is generated when a logon session is destroyed. Feb 18, 2022 · Too many event id 4624 and 4634 why? Hi, i've on prem 2016 cu19 2 node exchange with mapi over http connection enable protocol for client connection. properties [8] -eq 2} -or {$. Oct 17, 2025 · We have a lot of event id 4624 type 3, 4627 and 4634 on a file server for a specific user and workstation. " for the local Aug 19, 2022 · When the user began the logoff procedure, both 4647 and 4634 events are normally shown. Es fundamental comprender su significado, las razones por las que se produce y Feb 17, 2022 · Repeated 4624 & 4634 Events on Windows Server 2016 Software & Applications windows-server question general-windows mattvernon (mattvernon) February 17, 2022, 11:12am By comparing three notable Event IDs, it is possible to build a timeline of when a user account was actively logged into a system. Event 4634 is generated when an account is logged off from a system, recording the end of a user session. Jun 22, 2018 · Event ID：4688（意味：新しいプロセスが作成された) Event ID：4634（意味：アカウントがログオフした) アレコレ②（スライド16～18） Event ID：1149（意味：リモートデスクトップサービスでユーザー認証に成功しました) Local Session Managerの動き アレコレ③ Sep 2, 2020 · Understand Windows Account Logon and Logon Events for incident response, user activity tracking, and security event log analysis. Find out when and why this event is generated, and see examples and explanations of its fields. Security Id:Security ID for an account that was logged off. Eventually led me to events log viewer where I could see that evertime i was logged ff, the following event has occurred. Account Whose Credentials Were Used: These are the new credentials. Track RDP session disconnections, investigate security threats, and monitor remote access patterns. Feb 20, 2018 · A cohesive and comprehensive walk-through of the most common and empirically useful RDP-related Windows Event Log Sources and ID's, grouped by stage of occurrence (Connection, Authentication, Logon, Disconnect/Reconnect, Logoff). This won’t Oct 15, 2025 · Then there are success events: 4634 And even later, events 4624, 4672, 4624, and 4634 related to myaccount@contoso. Event Id 4634 XML format Cool Tip: How to convert XML to CSV filein the PowerShell! Fields Description: Subject Information 1. Dec 3, 2021 · In this example, the LAB\Administrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. Jun 17, 2018 · C、如何筛选 如果想要查看账户登录事件，在右边点击筛选当前日志，在事件ID填入4624和4625，4624 登录成功 4625 登录失败 D、事件ID及常见场景 对于Windows事件日志分析，不同的EVENT ID代表了不同的意义，摘录一些常见的安全事件的说明。 May 20, 2014 · If I remote desktop to the domain controller or a member server and use a correct username but incorrect password neither the member server or the domain controller log Event ID 4625, which is what I would expect for “An account failed to log on”. I'm trying to narrow these down to the actual event of logging on and logging off,but with so much noise it it hard to figure out the real event. Mar 23, 2021 · Security ID: AIINNOVATIONS\XXXXX. Find out the security implications, logon types, and operating systems for this event. Oct 14, 2025 · This article has guidance for: Organizations with IT-managed Windows devices and updates. This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID. Mar 31, 2010 · I'm getting 3-5 logon (4624) and multiple 4634 events for every logoff. Nov 7, 2013 · This article is explaining about the Active Directory user Logoff event ID 4634, how to enable this event via group policy and auditpol, and how to track user's logon duration from logon 4624 and logoff 4634 events. Account Domain:Domain name 3. May 24, 2025 · The 4634 event id refers to a specific Windows event log entry indicating a user's account has been logged off. Dec 6, 2023 · When I run Get-EventLog or Get-WinEvent and filter for Login (Event ID 4624) and Logoff (Event ID 4634) events, I only am seeing Logoff events with no corresponding Login events. in front of exchange an arraynetworks load balancer. Applications Manager typically collects data every 5 minutes and performs login/off operations 3-5 times per data collection, which amounts to approximately 1000+ events getting generated per day per server. However, we are seeing a series of 4624, 4634 events. These events indicate that the user logged in and logged out. The events *stop* if I disable the network. The main difference with “ 4634 (S): An account was logged off. When the user finally logs off, Windows will record a 4634 followed by a 4647. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command. " Why is it telling me the logon failed but on the server it shows it logging me out everytime i try to connect? Feb 10, 2024 · Event ID 4634: This event signals a logoff. Natürlich wird auch das Abmelden protokolliert im Event Viewer. Event ID 4634 shows up when they logoff if they do it properly. If you don't see anything, then either your event log has been purged, or the event is too old and you need to change how much data the event viewer stores. Log on type 2 This event is generated when a logon session is destroyed. ” event. Logon 4647 occurs when the logon session is fully terminated. If a user initiates logoff, typically, both 4674 and 4634 will be triggered. Anyone have suggestions on filtering this stuff or seeking an alternative method of obtaining the logon/logoff events/actions. They are all coming from my Win2012 server. Este evento, categorizado como 'Auditoría de Cierre de Sesión', se genera cuando una sesión de inicio de sesión llega a su fin. This event returns the end of logon session and it can be correlated back to 4624 using TargetLogonId to find user session duration. It documents user logoff event from the local computer. 2. Provides you with more information on Windows events. For example, it contains successful and failed user logons (event IDs 4624, 4625), but it doesn't contain sign-out information (4634) which, while important for auditing, is not meaningful for breach detection and has relatively high volume. What should be the approach to determine if the user is actually logged off from a machine in a domain? 4 days ago · For example, it contains successful and failed user logons (event IDs 4624, 4625), but it doesn't contain sign-out information (4634) which, while important for auditing, is not meaningful for breach detection and has relatively high volume. A comprehensive list of event ID's can be found here. Note that when a user unlocks computer, Windows creates a new logon session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634). In all such “interactive logons”, during logoff, the workstation will record a “logoff initiated” event (551/4647) followed by the actual logoff event (538/4634). 一般 - 監査の目的で使用する標準的なイベント セット。 このセットには、完全なユーザー監査証跡が含まれます。 たとえば、ユーザー サインインとユーザー サインアウトの両方のイベント (イベント ID 4624、4634) が含まれています。 This event is generated when the user logon is of interactive and remote-interactive types, and the logoff was via standard methods. The logon type for both is 7. Learn what event ID 4634 means and how to interpret it in Windows security logs. Hi, when I check my event log I have several logon/logoff events on a daily basis. Logon ID:I Learn what event ID 4634 means and how to monitor it with ADAudit Plus, a tool for Active Directory auditing and reporting. I get several "Special Privileges…. Ereignis 4634 wird erzeugt, wenn eine Anmeldungssitzung beendet wird. My research has only vague and conflicting information. 4634: An account was logged off On this page Description of this event Field level details Examples Also see event ID 4647 which Windows logs instead of this event in the case of interactive logons when the user logs out. Account Name: The name of the account that was logged off. Subject: Security ID: S-1-5-21-2883959765-1550083997-3048789898-500 Account Name: Administrator Account Domain: WIN2K12-TEST Logon ID: 0x8398DA6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with event 4624 (An account was successfully logged on) event using the Logon ID value. These event lets you know whenever an account assigned any "administrator equivalent" user rights logs on. Browse by Event id or Event Source to find your answers! You will typically see both 4647 and 4634 events when logoff procedure was initiated by user. While often overlooked, this event is valuable for calculating session durations, detecting anomalous logon patterns when correlated with Event 4624, and identifying potential cleanup activities by attackers attempting to remove their traces. You can correlate logon and logoff events by Logon ID which is a hexadecimal code that identifies that particular logon session. 6 ein user kann sich nie anmelden heute - Immer Event ID 4634 An Account was logged off - Session is destroyed Feb 10, 2022 · We expect to see 1 logon security event ( 4624 ) associated with one logonId session in the AD security log for the above user account. If a user's connection drops and automatically reconnects, you'll see a corresponding 4634 (logoff) and 4624 (logon) event pair. Nov 3, 2021 · Windows Event Logs mindmap provides a simplified view of Windows Event logs and their capacities that enables defenders to enhance visibility for different purposes: Log collection (eg: into a SIEM) Threat hunting Forensic / DFIR Troubleshooting Scheduled tasks: Event ID 4697 , This event generates when new service was installed in the system. Understanding its causes, such as scheduled tasks or system crashes, helps administrators optimize system performance, ensure security compliance, and resolve logoff issues effectively. Ereignis-ID 4634 korreliert möglicherweise positiv mit Ereignis-ID 4624: Ein Konto wurde erfolgreich angemeldet. Jul 8, 2012 · What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008? Nov 21, 2019 · Anmeldungen im Event ID 4624 Abmeldungen im Event ID 4634 Da es unter Windows viele verschiedene Möglichkeiten gibt um sich anzumelden aber auch abzumelden, zeigen wir euch was die verschiedenen Logon Type Codes bedeuten. Prior to that the event viewer logs Logon ID: a semi-unique (unique between reboots) number that identifies the logon session just initiated. Event ID 4672 : Special Logon It is perfectly normal. In this article, we will discuss Windows event id 4624 logon types, event field information, and security monitoring recommendations. 1. (services and applications that interact closely with the A comprehensive overview of Windows Event Log, including Event IDs, Event Channels, Providers, and how to collect, filter, and forward Windows logs. El Event ID 4634, dentro del registro de eventos de seguridad de Windows, es un indicador crucial para la monitorización y seguridad de cualquier sistema operativo basado en Microsoft. Logon IDs are only unique between reboots on the same computer. Event ID 4624: A user successfully logged on to a computer. Learn what triggers user session destruction events and how to monitor session termination patterns effectively. März 2019 Event ID 4624 (früher auch 528 und 540) mit Source: Microsoft Windows security und Task Category: Logon protokollieren eine erfolgreiche Anmeldung, Event ID 4634 (früher auch 538) mit Source: Microsoft Windows security und Task Category: Logoff eine Abmeldung. #> Function Get-LocalLogOnHistory { [CmdletBinding()] param ( [Parameter()][String Feb 16, 2020 · This event is very important and highly valuable. This event can be interpreted as a logoff event. And also the suspicious event 4799 "A security-enabled local group membership was enumerated. If both account logon and logon audit policy categories are enabled, logons that use a domain account generate a logon or logoff event on the workstation or server Windows event ID 6279 - Network Policy Server locked the user account due to repeated failed authentication attempts Windows event ID 6280 - Network Policy Server unlocked the user account Windows event ID 6281 - Code Integrity determined that the page hashes of an image file are not valid. But I have still concerns on it. Ereignis 4643 lässt sich mit Ereignis 4624 korrelieren, bei dem ein May 12, 2022 · When I look in the Security Event log, I see thousands of Logon (Event ID 4624), Logoff (Event ID 4634 and Special Logon (Event ID 4672) events - hundreds per hour being generated. El evento 4634 se genera cuando una sesión finaliza, mientras que el evento 4647 se genera cuando un usuario inicia el cierre de sesión. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4Logon Type: %5This event is generated when a logon session is destroyed. Event ID: 4634 Task: Logoff An account was logged off. Dec 22, 2015 · Logoff Event ID 4634 Now, you can filter the event viewer to those Event IDs using Event Viewer, but you can’t filter out all the noise around anything authenticating to and from the PC you’re investigating. Ereignis-ID 4634 Anmeldetyp 2 bedeutet, dass sich ein Benutzer an diesem Computer anmeldet. Verwechseln Sie dies bitte nicht mit Ereignis 4647, bei dem ein Benutzer die Abmeldung initiiert (also ein bestimmtes Konto die Abmeldungsfunktion verwendet). Because of this, important security events are being overwritten. This can help to identify potential periods of inactivity where the account isn't actively being used. They are all logon type 3. Apr 2, 2024 · This means you'll see a high-volume of 4624/4634 events for various user accounts. As I noted the program eventcombMT collects this, but the parsing is horrible. Only between reboots on the same machine are logon IDs distinct. Mar 25, 2022 · Enter 4634,4647 in the field under Includes/Excludes Event IDs: Click OK, and you'll see a list of events related to the chosen event ID's. Event ID 4634 indicates the user initiated the logoff sequence, which may get canceled. I also checked and both the logon and logoff have the same Logon ID. They are analyzed using Windows Event Viewer. 帐户域： 域名 登录ID： 为HexInt64类型。 它包含十六进制值，您可以使用该值将事件 ID 4634 与可能包含相同登录 ID 的最近事件关联起来。 例如，事件 ID 4624 -“帐户已成功登录。 ” LogonType： 它包含 UInt32 类型的值来表示所使用的登录类型。 Jun 19, 2017 · Xendesktop 7. Account logon events are generated on domain controllers for domain account activity and on local devices for local account activity. A pair of 4624 and 4634 are tied to one unique logonId. Submissions include solutions common as well as advanced problems. It is also a routine event which periodically occurs during normal operating system activity. XXXXX Account Domain: ?????????? Logon ID: 0x3404D23E Logon Type: 3 This event is generated when a logon session is destroyed. Dec 26, 2025 · MIcrosoft offers a wide array of business critical technology solutions and logging capabilities to help manage security which can become overwhelming. But however I am seeing these two events in pairs i. 5 days ago · Event ID 4109 records user logoff events initiated by the Windows initialization process, providing audit trail for session termination and system security monitoring. Aug 17, 2023 · All Replies Answers Oldest Votes Newest Vivek Jagad over 3 years ago Hello Georg Zoeller , Thank you for reaching out to the community, Event Id 4634 logon type 3 means that the user or computer logged on to this computer from the network. This can result in a rise of Windows security event ID 4634 being logged, indicating terminated sessions rather than successful logoffs. This clearly depicts the user’s logon session time. Nov 24, 2020 · Checking RDP connection event logs can help you follow the trail an attacker leaves, but you have to know what you're looking at. Using the Logon ID value, it may be positively associated with a “4624: An account was successfully logged on. 5 days ago · This event pairs with Event ID 4647 (user-initiated logoff) and Event ID 4634 (account logoff) to provide complete session lifecycle tracking. However, in case of interactive logon, windows logs 4647 when user logoff is seen. Dec 29, 2022 · The login event id is 4624 and the logoff event id is 4634. These Might be useful for detecting any "super user" account logons. Logon ID is a semi-unique (unique between reboots) number that identifies the logon session just initiated. Accessing Member Servers Feb 10, 2016 · An event with logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. Event ID 4647: A user initiated the logoff Dec 1, 2021 · Topic Replies Views Activity HealthMailbox in Event Viewer generate logon, logoff, special logon every second Software & Applications discussion , microsoft-exchange , team-collaboration 2 377 September 21, 2016 Repeated 4624 & 4634 Events on Windows Server 2016 Software & Applications general-windows , windows-server , question 7 6303 February Event ID 4624: An account was successfully logged on. ” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer Security event log lots of 4624/4634 logon type 3 entries for domain administrator I've recently started examining security event logs from my organization's domain controllers and I've come across some events that I'm trying to determine the cause of. Describes security event 4634 (S) An account was logged off. Id -eq 4624 -and $. properties [4] -eq 2}} Subcategory: Audit Logon Event Description: This event is generated when a process attempts an account logon by explicitly specifying that account’s credentials. Mar 11, 2019 · Windows Logon Type Codes von Andreas Schreiner · 11. Let’s understand event ID 4634 in detail with its fields. Event 4634. Mar 11, 2016 · Meldet sich der Benutzer nicht ab, sondern fährt den Computer herunter, so wird das Event 4634 erst nach dem nächsten Rechnerstart protokolliert. Spiceworks is filling our security event logs with useless ‘successful’ audit events and causing the logs to be rotated every 48 hours or so. Jan 15, 2026 · Windows Event Log Analysis ideally helps to analyze system logs into a SIEM or other log aggregator to support effective incident response. According to the event time, they happened at the exact same second. Jul 24, 2013 · All of our windows computers are being flooded with Excessive Logon/Logoff Event ID’s 4624 4634 4672 every time Spiceworks does a health scan on them (every 15 mins). This event indicates that the user (rather than the system) started the logoff process. Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634. Since about 3/4 days splunk show me that many event id 4624 and event id 4634 are logged on both server exhange. Learn now. Aug 5, 2011 · Topic Replies Views Activity Spiceworks 4624 4672 4634 Flooding Logs Other Spiceworks Tools and Services discussion , spiceworks-general-support 2 98 March 13, 2014 Excessive Logon/Logoff Event ID's 4624 4634 4672 Other Spiceworks Tools and Services discussion , spiceworks-general-support 8 758 July 24, 2013 Jul 16, 2024 · Anonymous Jul 17, 2024, 1:02 AM Hello Good day! You can try to check event ID 4634 and event ID 4647 via Security log on the machines that other users log on (it is computer policy). Subject: Security ID: NULL SID Account Name: - Sep 8, 2023 · This event logs on the account logged on, It helps to monitor actions on the computer like anomalies or malicious actions, non-active account login attempts, external accounts and so many others. Apr 30, 2015 · Jack, That is true to a point but when a user logs into their computer and it is connected to our domain, the domain controller that authenticated them adds the event to the security event log (on that DC) with Event ID 4626 for the logon. Jul 14, 2022 · We'll continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques. Then search for session end event (ID 4634) with the same Logon ID at 7:22 PM on the same day. It records the successful logon by a user on a computer. This started after a specific date and is continuous. Event ID 4674 can be associated with event ID 4624 (successful account logon) using the Logon ID value. Best Regards, Daisy Zhou Anonymous Jul 17, 2024, 12:30 AM Hi Daisy Zhou123 , Thanks for the confirmation. Subject: Security ID: Domain\ad2user Account Name: ad1user Account Domain: Domain Logon ID: 0xbb55b23 Logon Type: 3 This event is generated when a logon session is destroyed. Logon event example: An account was successfully logged on. Hier wird einfach nur verzeichnet, dass eine Sitzung nicht mehr existiert, da sie beendet wurde. We do not expect to see any logoff event (4634 ) until the user explicitly logs off. The log doesn't show any IP address or service. This list of critical Event IDs to monitor can help you get started. Jun 4, 2023 · Event ID 4634: “An account was logged off” This event is generated whenever a user simply disconnects from an RDP session or formally logs off via Windows Start Menu Logoff. It may be positively correlated with a logon event using the Logon ID value. Learn what triggers account logoff events and how to monitor user session termination effectively. Ereignis, das den Login-ID-Wert verwendet. Event ID 4634: An account was successfully logged off. Subject: Security ID: TESTGROUND\cacheduser Account Name: cacheduser Account Domain: TESTGROUND Logon ID: 0xbed3f1 Logon Type: 2 This event is generated when a logon session is destroyed. Event ID 4768: This event is generated when a Kerberos authentication ticket (TGT) is requested. Microsoft Windows Security Auditing. Sep 6, 2021 · Determines whether to audit each instance of a user logging on to or logging off from a device. You can save Oct 7, 2023 · We explain how to analyze Event ID 4624, An account was successfully logged. 6 days ago · Understand Windows Event ID 4634 from Security Auditing. System administrators rely on Event ID 6145 for user activity auditing, session management troubleshooting, and security investigations involving unauthorized session terminations. While I was looking through the 4624 / 4634 events in the event log, I found that several times throughout the day there was a 4624 (logon) followed immediately by a 4634 (logoff). 5 days ago · Understand Windows Event ID 5617 from Winlogon. Aug 13, 2021 · I just find the message for event ID 4634 "An account was logged off. This event is crucial for Windows security auditing, system monitoring, and troubleshooting. An account was logged off. Linked Login ID: (Win2016/10) This is relevant to User Account Control and interactive logons. Sep 1, 2016 · The problem is, I am getting a crasy amount of events with ID 4634, 4624 and 4672. May 26, 2023 · I have windows server 2019 on which one application is running and it is using local user administrator account, however this account is getting logged off automatically with event id 4647 (user-initiated logoff) and as a result application also stops working, no one is doing this interactive log off. May 1, 2023 · Also checked event viewer on server giving event id 4634 Feb 10, 2024 · Event ID 4634: This event signals a logoff. Recommendations for Security Monitoring For 4634:- A user account was To compensate for the problems with using event ID 4634 to accurately track logoffs, Windows also logs event ID 4647 (A user initiated a logoff). However, I do get 4634 which is “An account was logged off”. Event ID 4634: The logoff process was completed for a user. I am receiving 1 event every 2 seconds pretty much. The events are all followed by a 4634 Logoff event 15-20 seconds later, only to repeat instantly. Most of the data volume of this set consists of sign-in events and process creation events (event ID 4688). Note For IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. chpa dnd mcv ouu zpgws mufrhf iltdxse zfpev crapbnaxe nyufww