This is useful for servers that export their own objects, for example, database products that export tables and views. SecurityIdentification (displayed as " Identification"): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero. SecurityAnonymous (displayed as empty string): The server process cannot obtain identification information about the client, and it cannot impersonate the client.
Impersonation Level : can have one of these four values: If "Yes", then the session this event represents is elevated and has administrator privileges.
Virtual Account : a "Yes" or "No" flag, which indicates if the account is a virtual account (e.g., " Managed Service Account"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService".Įlevated Token : a "Yes" or "No" flag. If not a RemoteInteractive logon, then this will be "-" string. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin Mode : Only populated for RemoteInteractive logon type sessions.
The domain controller was not contacted to verify the credentials. The new logon session has the same local identity, but uses different credentials for other network connections.Ī user logged on to this computer remotely using Terminal Services or Remote Desktop.Ī user logged on to this computer with network credentials that were stored locally on the computer. The credentials do not traverse the network in plaintext (also called cleartext).Ī caller cloned its current token and specified new credentials for outbound connections. The built-in authentication packages all hash credentials before sending them across the network.
The user's password was passed to the authentication package in its unhashed form. Used only by the System account, for example at system startup.Ī user or computer logged on to this computer from the network.īatch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.Ī service was started by the Service Control Manager.Ī user logged on to this computer from the network. The table below contains the list of possible values for this field.
Uppercase full domain name: CONTOSO.LOCALįor some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".įor local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81". Lowercase full domain name: contoso.local For more information about SIDs, see Security identifiers.Īccount Name : the name of the account that reported information about successful logon.Īccount Domain : subject’s domain or computer name. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. If the SID cannot be resolved, you will see the source data in the event.Ī security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Event Viewer automatically tries to resolve SIDs and show the account name. Security ID : SID of account that reported information about successful logon or invokes it. Logon Type moved to "Logon Information:" section. Minimum OS Version: Windows Server 2008, Windows Vista. For recommendations, see Security Monitoring Recommendations for this event.