|
|
D:\Windows11Research\EventLogs\4624\Windows10Pro22H24624.txt |
|
|
D:\Windows11Research\EventLogs\4624\Windows11Pro22H24624.txt |
1 |
|
An account was successfully logged on.Subject: |
|
1 |
An account was successfully logged on.Subject: |
2 |
|
Security ID: |
|
2 |
Security ID: |
3 |
|
|
|
3 |
|
4 |
|
{SubjectUserSid} |
|
4 |
{SubjectUserSid} |
5 |
|
Account Name: |
|
5 |
Account Name: |
6 |
|
|
|
6 |
|
7 |
|
{SubjectUserName} |
|
7 |
{SubjectUserName} |
8 |
|
Account Domain: |
|
8 |
Account Domain: |
9 |
|
|
|
9 |
|
10 |
|
{SubjectDomainName} |
|
10 |
{SubjectDomainName} |
11 |
|
Logon ID: |
|
11 |
Logon ID: |
12 |
|
|
|
12 |
|
13 |
|
{SubjectLogonId}Logon Information: |
|
13 |
{SubjectLogonId}Logon Information: |
14 |
|
Logon Type: |
|
14 |
Logon Type: |
15 |
|
|
|
15 |
|
16 |
|
{LogonType} |
|
16 |
{LogonType} |
17 |
|
Restricted Admin Mode: |
|
17 |
Restricted Admin Mode: |
18 |
|
{SubjectUserName}2 |
|
18 |
{SubjectUserName}2 |
|
!> |
|
|
19 |
Remote Credential Guard: |
|
!> |
|
|
20 |
{SubjectUserName}3 |
19 |
|
Virtual Account: |
|
21 |
Virtual Account: |
20 |
|
|
|
22 |
|
21 |
* |
{SubjectUserName}5 |
|
23 |
{SubjectUserName}6 |
22 |
|
Elevated Token: |
|
24 |
Elevated Token: |
23 |
|
|
|
25 |
|
24 |
* |
{SubjectUserName}7Impersonation Level: |
|
26 |
{SubjectUserName}8Impersonation Level: |
25 |
|
|
|
27 |
|
26 |
|
{SubjectUserName}1New Logon: |
|
28 |
{SubjectUserName}1New Logon: |
27 |
|
Security ID: |
|
29 |
Security ID: |
28 |
|
|
|
30 |
|
29 |
|
{TargetUserSid} |
|
31 |
{TargetUserSid} |
30 |
|
Account Name: |
|
32 |
Account Name: |
31 |
|
|
|
33 |
|
32 |
|
{TargetUserName} |
|
34 |
{TargetUserName} |
33 |
|
Account Domain: |
|
35 |
Account Domain: |
34 |
|
|
|
36 |
|
35 |
|
{TargetDomainName} |
|
37 |
{TargetDomainName} |
36 |
|
Logon ID: |
|
38 |
Logon ID: |
37 |
|
|
|
39 |
|
38 |
|
{TargetLogonId} |
|
40 |
{TargetLogonId} |
39 |
|
Linked Logon ID: |
|
41 |
Linked Logon ID: |
40 |
|
|
|
42 |
|
41 |
* |
{SubjectUserName}6 |
|
43 |
{SubjectUserName}7 |
42 |
|
Network Account Name: |
|
44 |
Network Account Name: |
43 |
<! |
{SubjectUserName}3 |
|
|
|
44 |
<! |
Network Account Domain: |
|
|
|
45 |
|
{SubjectUserName}4 |
|
45 |
{SubjectUserName}4 |
|
!> |
|
|
46 |
Network Account Domain: |
|
!> |
|
|
47 |
{SubjectUserName}5 |
46 |
|
Logon GUID: |
|
48 |
Logon GUID: |
47 |
|
|
|
49 |
|
48 |
|
{SubjectUserSid}3Process Information: |
|
50 |
{SubjectUserSid}3Process Information: |
49 |
|
Process ID: |
|
51 |
Process ID: |
50 |
|
|
|
52 |
|
51 |
|
{SubjectUserSid}7 |
|
53 |
{SubjectUserSid}7 |
52 |
|
Process Name: |
|
54 |
Process Name: |
53 |
|
|
|
55 |
|
54 |
|
{SubjectUserSid}8Network Information: |
|
56 |
{SubjectUserSid}8Network Information: |
55 |
|
Workstation Name: |
|
57 |
Workstation Name: |
56 |
|
{SubjectUserSid}2 |
|
58 |
{SubjectUserSid}2 |
57 |
|
Source Network Address: |
|
59 |
Source Network Address: |
58 |
|
{SubjectUserSid}9 |
|
60 |
{SubjectUserSid}9 |
59 |
|
Source Port: |
|
61 |
Source Port: |
60 |
|
|
|
62 |
|
61 |
|
{SubjectUserName}0Detailed Authentication Information: |
|
63 |
{SubjectUserName}0Detailed Authentication Information: |
62 |
|
Logon Process: |
|
64 |
Logon Process: |
63 |
|
|
|
65 |
|
64 |
|
{SubjectUserSid}0 |
|
66 |
{SubjectUserSid}0 |
65 |
|
Authentication Package: |
|
67 |
Authentication Package: |
66 |
|
{SubjectUserSid}1 |
|
68 |
{SubjectUserSid}1 |
67 |
|
Transited Services: |
|
69 |
Transited Services: |
68 |
|
{SubjectUserSid}4 |
|
70 |
{SubjectUserSid}4 |
69 |
|
Package Name (NTLM only): |
|
71 |
Package Name (NTLM only): |
70 |
|
{SubjectUserSid}5 |
|
72 |
{SubjectUserSid}5 |
71 |
|
Key Length: |
|
73 |
Key Length: |
72 |
|
|
|
74 |
|
73 |
|
{SubjectUserSid}6This event is generated when a logon session is created. It is generated on the computer that was accessed.The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service; or a local process such as Winlogon.exe or Services.exe.The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).The New Logon fields indicate the account for whom the new logon was created; i.e. the account that was logged on.The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The impersonation level field indicates the extent to which a process in the logon session can impersonate.The authentication information fields provide detailed information about this specific logon request. |
|
75 |
{SubjectUserSid}6This event is generated when a logon session is created. It is generated on the computer that was accessed.The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service; or a local process such as Winlogon.exe or Services.exe.The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).The New Logon fields indicate the account for whom the new logon was created; i.e. the account that was logged on.The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.The impersonation level field indicates the extent to which a process in the logon session can impersonate.The authentication information fields provide detailed information about this specific logon request. |
74 |
|
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. |
|
76 |
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. |
75 |
|
- Transited services indicate which intermediate services have participated in this logon request. |
|
77 |
- Transited services indicate which intermediate services have participated in this logon request. |
76 |
|
- Package name indicates which sub-protocol was used among the NTLM protocols. |
|
78 |
- Package name indicates which sub-protocol was used among the NTLM protocols. |
77 |
|
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |
|
79 |
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. |