Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, May 14, 2018 11:06 AM
How is one session assigned to Logon ID 0x2c405, and another session to Logon ID 0x3e7? In what will be the difference between sessions, why Logon ID have different numbers, what do these numbers show, what depends on them?
All replies (6)
Monday, May 14, 2018 8:50 PM
Can you explain more please on where and what command(s) you use to see these Logon ID's?
Thursday, May 17, 2018 11:07 AM
I see the logon id in the windows security Log.
Why is the logon id reserved 0x3e7 0x3e5, that each of them means, why are they different?
Thursday, May 17, 2018 5:31 PM
Can you please let us know what Event ID(s) you are seeing this in?
Tuesday, May 22, 2018 9:23 AM
4634 4647
Wednesday, May 23, 2018 8:30 PM
Thanks for that. Ok getting somewhere in my search can see the Logon ID varies in the logs for me with the same user.
The text in the event states "Logon IDs are only unique between reboots on the same computer.", but this says
"An event with logon type = 7 occurs when a user unlocks (or attempts to unlock) a previously locked workstation. Note that when a user unlocks computer, Windows creates a new logon session (or 2 logon sessions depending on the elevation conditions) and immediately closes it (with event 4634). When you are switching between logged on user accounts with Fast User Switching feature, you may think that such switching generates event 4624 with logon type = 7 because it looks like you lock and unlock workstation. However Windows generates events 4624 with logon type = 2 (interactive). When Audit Failure logon event (4625) is registered with logon type = 7, this commonly means that either you made a typo when entering the password, or someone is trying to break into the computer."
So does mention 4634 and "Note that when a user unlocks computer, Windows creates a new logon session" in that text says this is in the way Windows is working in the background. As I do not lock my workstation then perhaps Windows to does more of these, perhaps with auto logins (like I see in Edge or perhaps the Store).
Monday, May 28, 2018 10:17 AM
I now see in the Windows log messages in which different LogonId are combined with different LogonType, from 0 to 11. As well as based on what (how reliable is the source of information), can I distinguish legitimate traffic from illegitimate?
Event 4624
Logon Type 11: CachedInteractive. Logon ID (0x0,0x3e7) NT AUTHORITY \ SYSTEM.
The events are then erased with a stress recording that the Event Service has stopped working, then everything is empty in the log.
My records remained, the archiving of the log was set up - too, everything is erased, a strong analog Back2Life receives events that clearly contradict my records and studies.