If you pay attention to the Windows system security log, in those event descriptions you will find that the "login type" is not all the same, in addition to interactive login on the keyboard (login type 1) Are there other types besides?
Well, in order for Windows to get more valuable information from the logs, it subdivides a wide variety of login types so that you can distinguish whether the logged in user is logged in locally or from the network. , and many more ways to log in. Knowing these login methods will help you to find suspicious hacks from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows.
Login Type 2: Interactive Login (Interactive)
This should be your first login method. The so-called interactive login means The user logs in on the console of the computer, which is the login on the local keyboard, but don't forget that logging in via KVM is still an interactive login, although it is web-based.
Login Type 3: Network
When you access a computer from the network, in most cases Windows is typed 3. The most common situation is when connecting to a shared folder or sharing a printer. In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below.
Login Type 4: Batch
When Windows runs a scheduled task, the Scheduled Task Service will be created for this task first. A new login session so that it can run under the user account configured by this scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, You can also generate type 4 login events when you start working. Type 4 logins usually indicate that a scheduled task is started, but it is also possible that a malicious user guesses the user's password by scheduling a task. This attempt will generate a type 4 login failure event. However, this kind of failed login may also be caused by the user password of the scheduled task not being changed synchronously, such as the user password being changed, and forgetting to make changes in the scheduled task.
Login Type 5: Service
Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for this particular user, which will be recorded as type 5, and failure type 5 usually indicates that the user's password has changed and is not updated here, although this may be Malicious user password guessing, but this possibility is relatively small, because creating a new service or editing an existing service requires the administrator or serversoperators identity by default, and the malicious user of this identity has already There is enough power to do his bad things, and it is no longer necessary to guess the service password.
Login Type 7: Unlock
You may want the corresponding workstation to automatically start a password protection when a user leaves his computer. Screen saver, when a user comes back to unlock, Windows considers this unlock operation to be a type 7 login. A failed type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer. Tr