When the Windows security log, you often find different values for the login type. There are 2, 3, 5, 8, etc. The most common types are 2 (interactive) and 3 (web).
The possible login type values are listed in detail below
Login Type 2: Interactive Login
This should be the first login method you think of, the so-called interactive login refers to the login made by the user on the console of the computer, that is, the login made on the local keyboard.
Login Type 3: Network
When you access a computer from a network, Windows is marked as Type 3 in most cases, most often when connecting to a shared folder or a shared printer. In most cases, it is also recorded as this type when logging in to IIS through the Internet, except for the basic authentication method of IIS login, which will be recorded as type 8, which will be described below.
Successful web login:
Username:
Domains:
Login ID: (0x2,0xFC38EC05)
Login Types: 3
Login process: NtLmSsp
Authentication packet: NTLM
Workstation Name: 098B11CAF05E4A0
Login GUID:-
Caller Username: -
Calling Squares: -
Caller Login ID: -
Caller Process ID: -
Delivery Services: -
Source network address: 192.168.197.35
Source Port: 0
Caller process name: %16
Login Type 4: Batch
When Windows runs a scheduled task, the Scheduled Task Service will first create a new login session for the task so that it can run under the user account configured for this scheduled task, when this login appears, Windows records it as type 4 in the log, for other types of work task systems, depending on its design, it can also generate a type 4 login event when starting work, type 4 login usually indicates that a scheduled task starts, However, it could also be a malicious user guessing the user password through a scheduled task, which would result in a type 4 login failure event, but this failed login could also be caused by the user password of the scheduled task not being changed synchronously, such as the user password being changed and forgetting to change it in the scheduled task.
Login Type 5: Service
Similar to scheduled tasks, each service is configured to run under a specific user account, when a service starts, Windows first creates a login session for this specific user, which will be recorded as type 5, failed type 5 usually indicates that the user's password has changed and has not been updated here, of course, this can also be caused by a malicious user's password guess, but this is less likely, Because creating a new service or editing an existing service requires the identity of administrator or serversoperators by default, the malicious user of this identity is already capable enough to do his bad deeds, and there is no need to bother to guess the service password.
You have successfully logged in to your account.
Topics:
Security ID: SYSTEM
Account Name: NAUTICAR-X200$
Account domain: WORKGROUP
Login ID: 0x3e7
Login Type: 5
New Logins:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Login ID: 0x3e7
Login GUID:{000000000-0000-0000-0000-00000000000}
Process information:
Process ID: 0x254
Process name: C:\Windows\System32\services.exe
Network information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed authentication information:
Login process: Advapi
Authentication packet: Negotiate
Delivery Services: -
Packet Name (NTLM only): -
Key length: 0
This event is generated on the accessed computer after the login session is created.
The Subject field indicates the account on the local system that requests to sign in. This is usually a service (such as a Server service) or a local process (such as Winlogon.exe or Services.exe).
Login Type 7: Unlock
You may want the corresponding workstation to automatically start a password-protected screensaver when a user leaves his computer, and when a user comes back to unlock, Windows considers this unlocking operation to be a Type 7 login, and a failed Type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer.
Login Type 8: NetworkCleartext
This login indicates that this is a type 3 network login, but the password for this login is transmitted over the network via plaintext, and the Windows Server service does not allow plaintext authentication to connect to a shared folder or printer, as far as I know it is only when logging in from an ASP script using Advapi or a user logging in to IIS using basic authentication. Advapi will all be listed in the Login Process column.
Successful web login:
Username: IUSR_HP-8DFC7CA1B32C
Domain: HP-8DFC7CA1B32C
Login ID: (0x0,0x89F503)
Login Type: 8
Login process: Advapi
Authentication packet: Negotiate
Workstation Name: HP-8DFC7CA1B32C
Login GUID:-
Caller username: NETWORK SERVICE
Calling Authority: NT AUTHORITY
Caller Login ID: (0x0,0x3E4)
Caller process ID: 3656
Delivery Services: -
Source Network Address: -
Source Port: -
Caller process name: %16
Login Type 9: New Credentials
When you run a program with the /netonly parameter, RUNAS runs it as the local current logged-in user, but if the program needs to connect to other computers on the network, it will connect with the user specified in the RUNAS command, and Windows will record this login as type 9, if the RUNAS command does not have the /netonly parameter, then the program will run as the specified user, but the login type in the log is 2.
Login Type 10: RemoteInteractive
When you access a computer via Terminal Services, Remote Desktop, or Remote Assistance, Windows will mark it as Type 10 to distinguish it from the true Console Login, note that this login type was not supported in versions prior to XP, for example, Windows 2000 will still write Terminal Services Login as Type 2.
Login Type 11: CachedInteractive
Windows supports a feature called cached login, which is especially beneficial for mobile users, such as when you log in as a domain user outside your network and cannot log in to a domain controller, which by default Windows caches credential hashes for the last 10 interactive domain logins, and if later you log in as a domain user and no domain controller is available, Windows will use these hashes to verify your identity.
The above describes the login type of Windows, but Windows 2000 does not record security logs by default, you must first enable the "Audit Login Events" under the Group Policy "Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies" to see the above log information. I hope that this detailed record information will help everyone better grasp the system situation and maintain network stability. |
Posted on 11/14/2018 4:19:16 PM
|
|
|
