What is Logon?
A logon in Windows refers to the process of gaining access to a computer or network by providing valid credentials, such as a username and password. A logon is required in order to access the resources and functionality of a Windows system, such as files, applications, and network connections.
When a user attempts to log on to a Windows system, they must provide their username and password to authenticate their identity. The Windows operating system then checks the user's credentials against a user database, such as Active Directory or a local user account database, to verify that the user is authorized to access the system. If the user's credentials are valid, they are granted access to the system and can begin using its resources.
What are Logon Types:
There are several different types of Windows logon, each of which corresponds to a specific authentication mechanism. Understanding the different types of logon can help you identify who is accessing your system and how they are doing it.
Here are the most common types of Windows logon:
Interactive Logon: This logon type occurs when a user logs on to a computer locally by entering their username and password at the login screen. This is the most common type of logon and is used when the user is physically present at the computer.
Network Logon: This logon type occurs when a user logs on to a computer over the network by providing their username and password. This type of logon is used when a user accesses shared resources on another computer on the network, such as a file share or printer.
Remote Interactive Logon: This logon type occurs when a user logs on to a computer remotely via Remote Desktop or Remote Assistance. This type of logon is used when a user needs to access a computer that is located in a different physical location.
Cached Logon: This logon type occurs when a user logs on to a computer using cached credentials that were previously stored on the computer. This type of logon is used when the computer is not connected to the network or the domain controller cannot be reached.
Batch Logon: This logon type occurs when a batch job or task runs under a specified user account. This type of logon is used when a task needs to be run under a specific user account, such as a backup task or scheduled task.
Service Logon: This logon type occurs when a Windows service runs under a specified user account. This type of logon is used when a service needs to access network resources or perform other tasks that require authentication.
Unlock Logon: This logon type occurs when a user unlocks a computer that has been locked. This type of logon is used when a user temporarily steps away from their computer and needs to quickly regain access without logging off.
Enable Logon Events
There are several different methods to enable logon events in Windows, depending on the version of Windows you are using and your specific needs. Here are some common methods to enable logon events:
Method 1: Local Security Policy
STEP 1: Open Local Security Policy and type "secpol.msc" in dialog box.
STEP 2: Navigate to the following path:
Local Policies => Audit Policy.
STEP 3: Enable "Audit Logon events".
Method 2: Group Policy Editor
STEP 1: Open the group policy editor and type "gpedit.msc" in dialog box.
STEP 2: Navigate the following path:
Computer Configuration => Windows Settings => Security Settings => Local Policies => Audit Policy.
STEP 3: Enable "Audit Logon events".
Method 3: PowerShell
STEP 1: Open PowerShell
STEP 2: Type the following command:
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'AuditLogonEvents' -Value 3Method 4: Registry Editor
STEP 1: Open Registry Editor and type "regedit" in dialog box
STEP 2: Navigate the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemSTEP 3: Create a DWORD value called "AuditLogonEvents" and set the value to 3.
Once you have enabled logon events using one of these methods, you can view the logon events in the Windows event logs. To do this, open Event Viewer by typing "eventvwr.msc" in the Run dialogue box, navigate to Windows Logs > Security and look for events with an Event ID of 4624 (for successful logons) or 4625 (for failed logon attempts). These events will provide information about the user account that was used to log on, the logon type, and the source of the logon (e.g. local or network).