Yes, Windows allows you to get more valuable information from the logs. It subdivides a wide variety of login types so that you can distinguish whether the logged in user is logged in locally or from Network
Login, and more. Knowing these login methods will help you to find suspicious hacker behaviors from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows.
Login Type 2: Interactive Login (Interactive)
This should be your first login method. The so-called interactive login means that the user is on the console of the computer. The login is done, which is the login on the local keyboard, but don't forget that logging in via KVM is still an interactive login, although it is web based.
Login Type 3: Network
When you access a computer from the network, in most cases Windows is type 3, the most common case is to connect to the share. When you folder or share a printer. In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below.
Login Type 4: Batch
When Windows runs a scheduled task, the Scheduled Task Service will first create a new login session for this task so that it can be used here. Run the user account configured by the scheduled task. When this login occurs, Windows records it as type 4 in the log. For other types of work task systems, depending on its design, it can also generate type 4 when starting work. Login event, type 4 login usually indicates that a scheduled task is started, but it may also be a malicious user guessing the user password through the scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also be due to The user password for the scheduled task was not synchronized, such as the user password changed, and forgot to make changes in the scheduled task.
Login Type 5: Service
Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first This particular user creates a login session, which will be recorded as type 5, and a failed type 5 usually indicates that the user's password has changed and has not been updated here, although this may also be caused by a malicious user's password guess, but this The possibility is relatively small, because creating a new service or editing an existing service requires the administrator or serversOperators identity by default, and the malicious user of this identity has enough ability to do his bad things. It is no longer necessary to guess the service password.
Login Type 7: Unlock
You may want the corresponding workstation to automatically start a password-protected screen saver when a user leaves his computer. When a user comes back to unlock, Windows Just think of this unlocking operation as a type 7 login, a failed type 7 login indicating that someone has entered the wrong password or someone is trying to unlock the computer.
Login Type 8: NetworkCleartext
This login indicates that this is a network login like Type 3, but the password for this login is transmitted in clear text over the network. The Windows Server service does not allow connection to shared folders or printers through plain text authentication. As far as I know, this type of login is only available when logging in from an ASP script using Advapi or a user logging in to IIS using basic authentication. Advapi will be listed in the "Login Process" column.
Login Type 9: NewCredentials
When you run a program using the RUNAS command with the /Netonly parameter, RUNAS runs it as the local current logged in user, but if this program requires When connecting to other computers on the network, the user specified in the RUNAS command will be connected at this time, and Windows will record this login as type 9. If the RUNAS command does not have the /Netonly parameter, then the program will The specified user is running, but the login type in the log is 2.
Login Type 10: Remote Interactive (RemoteInteractive)
When you access your computer through Terminal Services, Remote Desktop or Remote Assistance, Windows will be logged as type 10 to log in with the real console. Differentiated, note that the previous version of XP does not support this type of login. For example, Windows 2000 will still record Terminal Services login as type 2.
Login Type 11: Cached Interaction (CachedInteractive)
Windows supports a feature called cache login, which is especially beneficial for mobile users, such as you are outside your own network. This feature is used when a user logs in and cannot log in to the domain controller. By default, Windows caches the credentials of the last 10 interactive domain logins. If you log in as a domain user later, no domain controllers are available. Windows will use these HASH to verify your identity.
The above describes the login type of Windows, but by default Windows2000 does not record security logs. You must first enable Group Policy under "Computer Configuration /Windows Settings /Security Settings /Local Policies /Audit Policies" "Audit Login Event" can see the record information above. I hope that these detailed records will help you better understand the system and maintain network stability.
With the development of the Windows operating system, the functions are getting stronger and
Now more and more friends using the Windows XP operating system, everyone is impressed by her beauti
Windows XP operating system security (a) Microsoft once boasted: Windows XP users will no longer nee
Usually after you install Windows XP, click the Start button, the opening menu is the defaul
Windows XP system speed improvement method
XP system application skills installation and switch machine articles
A detailed study of the CPU usage of WinXP in 100% of the reasons and solutions
Userinit.exe is replaced by a solution instance that the system cannot log in
Simple Setup Turn off XP Automatic Update Disable Warning
XP can still be restarted like this
Do whatever you want to make a universal clone of Windows XP! (4)
The strongest in history? From 0 to 33600 Logical port details (3)
Install the old driver three wonderful recipes in Windows XP system
How to complete a comprehensive defragmentation in XP
The new game method of environment variables in Windows operating system
When you modify the color of the Windows folder
Win10 system transparent interface how to close
Windows 7 Tips Not to Be Missed
Windows 7 close password display button tips
Win10 system can not start the solution of the bearer network
Why does Vista's local connection status icon not flash
What are the reasons for win7 automatic shutdown
Microsoft Win8/Win7 official general desktop theme
Laptop installed system can not open the prompt program is not installed to restart the installation