What is Event ID 4624 Used For?
Event ID 4624 is a crucial entry in the Windows Security Log, primarily used to document every successful attempt at logging on to a local computer. This event signifies that a user or system process has successfully authenticated and established a session on the machine where the event is generated.
Understanding Event ID 4624
When a user, service, or system process successfully logs into a Windows computer, the operating system generates Event ID 4624 in the Security Event Log. This event is recorded on the specific computer that was accessed, marking the creation of a successful logon session. It serves as a vital record for auditing, security monitoring, and forensic analysis within an IT environment.
Key Information Captured
Each instance of Event ID 4624 provides detailed insights into the successful logon attempt. While the specific fields can vary slightly based on the logon type, common information includes:
- Account Name: The username that successfully logged on (e.g.,
Domain\UsernameorComputerName\Username). - Account Domain: The domain or computer name associated with the account.
- Logon ID: A hexadecimal value that uniquely identifies the logon session on the local computer.
- Logon Type: Indicates how the user logged on (e.g., interactive, network, remote desktop).
- Source Network Address: The IP address from which the logon originated (if applicable).
- Source Port: The port number used by the source.
- Workstation Name: The name of the computer from which the logon attempt was made.
- Process Information: Details about the process that initiated the logon.
Common Logon Types for Event ID 4624
The "Logon Type" field within Event ID 4624 is particularly important as it describes the nature of the successful logon. Here are some of the most frequently encountered logon types:
| Logon Type | Description | Typical Scenarios |
|---|---|---|
| 2 | Interactive | User logs on directly at the computer's keyboard and screen. |
| 3 | Network | User accesses a shared folder, printer, or runs a scheduled task over the network. |
| 4 | Batch | Logons initiated by batch servers, like a scheduled task account. |
| 5 | Service | A service (e.g., SQL Server, IIS) starts and logs on using a service account. |
| 7 | Unlock | User unlocks a workstation that was locked. |
| 8 | NetworkCleartext | User logs on to the network with credentials sent in cleartext (rare and insecure). |
| 9 | NewCredentials | Process calls LogonUser with the LOGON_NEW_CREDENTIALS flag, creating new credentials. |
| 10 | RemoteInteractive (Remote Desktop) | User logs on to the computer remotely via Remote Desktop Protocol (RDP). |
| 11 | CachedInteractive | User logs on interactively using cached domain credentials when a domain controller is unavailable. |
Importance for Security and Compliance
Monitoring Event ID 4624 is fundamental for robust security posture and compliance. It helps organizations:
- Detect Unauthorized Access: While it signals success, an unexpected successful logon from an unusual location or at an odd time can indicate a compromised account.
- Track User Activity: Provides a clear audit trail of who accessed which system and when.
- Meet Compliance Requirements: Many regulatory standards (e.g., HIPAA, PCI DSS, GDPR) require detailed logging of access to sensitive systems.
- Investigate Security Incidents: In the event of a breach, these logs are crucial for understanding the attack vector and lateral movement within the network.
How Event ID 4624 Relates to Event ID 4625
It's important to understand Event ID 4624 in contrast to its counterpart, Event ID 4625. While Event ID 4624 documents successful logon attempts, Event ID 4625 is generated for every failed logon attempt. Monitoring both events provides a comprehensive picture of access attempts on a system, highlighting potential brute-force attacks or misconfigured accounts alongside legitimate access.
Viewing Event ID 4624
To view Event ID 4624 entries, you can use the built-in Windows Event Viewer:
- Open Event Viewer (type
eventvwr.mscin the Run dialog or search for "Event Viewer"). - Navigate to Windows Logs > Security.
- In the right-hand "Actions" pane, select Filter Current Log....
- Enter
4624in the "Event IDs:" field and click "OK."
This will display a filtered list of all successful logon events, allowing administrators to review the details of each entry. For large environments, specialized Security Information and Event Management (SIEM) systems are used to centralize and analyze these logs more efficiently.
