There are lots of threads querying about logon events. In this article, we will introduce some simple but efficient ways to help us better understand user logon events.
Logon Type
Logon type is a concise parameter which can help us determine where and how logon events are triggered.
Windows system has 13 logon types, each one is well documented in this article below:
Please note that Interactive logon can be generated both locally and remotely through Terminal Services/Remote Desktop Services. Logon attempts through Terminal Services/Remote Desktop Services are logged as Remote Interactive logon, logon type is 10.
We may confuse Network logon (logon type 3) with Remote Interactive logon.
In fact, Network logon only provides network access to the destination computer while interactive logon enables users the ability of interacting with applications on the destination computer after they logged on.
Another way to distinguish Interactive and Network logon is Interactive logon requires that users input credentials during the logon process, we can see Event ID 4648 “A logon was attempted using explicit credentials” (Figure 1) for every interactive logon,
but Network logon doesn’t require explicit credentials.
Figure 1: Event 4648
This is by design to provide better user experience, so that we don’t need to input credentials repeatedly when accessing network resources after we logged on. In addition, this is also part of the reasons why there are always countless logon/logoff events
in the event logs.
Figure 2 and Figure 3 are Remote Interactive logon and Network logon event.
Figure 2: Network Logon
Figure 3: Remote Interactive Logon