Logon Type | Logon Title | Description |
---|---|---|
2 | Interactive | A user logged on to this computer. |
3 | Network | A user or computer logged on to this computer from the network. |
4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 | Service | A service was started by the Service Control Manager. |
7 | Unlock | This workstation was unlocked. |
8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
StatusSub-Status Code | Description |
---|---|
0XC000005E | There are currently no logon servers available to service the logon request. |
0xC0000064 | User logon with misspelled or bad user account |
0xC000006A | User logon with misspelled or bad password |
0XC000006D | This is either due to a bad username or authentication information |
0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
0xC000006F | User logon outside authorized hours |
0xC0000070 | User logon from unauthorized workstation |
0xC0000071 | User logon with expired password |
0xC0000072 | User logon to account disabled by administrator |
0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
0XC0000133 | Clocks between DC and other computer too far out of sync |
0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
0XC0000192 | An attempt was made to logon, but the Netlogon service was not started. |
0xC0000193 | User logon with expired account |
0XC0000224 | User is required to change password at next logon |
0XC0000225 | Evidently a bug in Windows and not a risk |
0xC0000234 | User logon with account locked |
0XC00002EE | Failure Reason: An Error occurred during Logon |
0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
0x0 | Status OK. |
Field | Value to monitor for |
---|---|
Failure InformationStatus or Failure InformationSub Status | 0XC000005E – “There are currently no logon servers available to service the logon request.” This is typically not a security issue but it can be an infrastructure or availability issue. |
Failure InformationStatus or Failure InformationSub Status | 0xC0000064 – “User logon with misspelled or bad user account”. Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
Failure InformationStatus or Failure InformationSub Status | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
Failure InformationStatus or Failure InformationSub Status | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
Failure InformationStatus or Failure InformationSub Status | 0xC000006F – “User logon outside authorized hours”. |
Failure InformationStatus or Failure InformationSub Status | 0xC0000070 – “User logon from unauthorized workstation”. |
Failure InformationStatus or Failure InformationSub Status | 0xC0000072 – “User logon to account disabled by administrator”. |
Failure InformationStatus or Failure InformationSub Status | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
Failure InformationStatus or Failure InformationSub Status | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. This is typically not a security issue but it can be an infrastructure or availability issue. |
Failure InformationStatus or Failure InformationSub Status | 0xC0000193 – “User logon with expired account”. |
Failure InformationStatus or Failure InformationSub Status | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |