Windows system >> Windows XP System Tutorial >> XP system basics

The secret in the log: How many Windows login types know

If you pay attention to the security log of Windows system, in the event description you will find that the "login type" is not all the same, in addition to interactive login on the keyboard (login Are there other types besides type 1)?

Yes, Windows allows you to get more valuable information from the logs. It subdivides a wide variety of login types so that you can distinguish whether the logged in user is logged in locally or from Network
Login, and more. Knowing these login methods will help you to find suspicious hacker behaviors from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows.

This should be your first login method. The so-called interactive login means that the user is on the console of the computer. The login is done, which is the login on the local keyboard, but don't forget that logging in via KVM is still an interactive login, although it is web based.

When you access a computer from the network, in most cases Windows is type 3, the most common case is to connect to the share. When you folder or share a printer. In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below.

When Windows runs a scheduled task, the Scheduled Task Service will first create a new login session for this task so that it can be used here. Run the user account configured by the scheduled task. When this login occurs, Windows records it as type 4 in the log. For other types of work task systems, depending on its design, it can also generate type 4 when starting work. Login event, type 4 login usually indicates that a scheduled task is started, but it may also be a malicious user guessing the user password through the scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also be due to The user password for the scheduled task was not synchronized, such as the user password changed, and forgot to make changes in the scheduled task.

Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first This particular user creates a login session, which will be recorded as type 5, and a failed type 5 usually indicates that the user's password has changed and has not been updated here, although this may also be caused by a malicious user's password guess, but this The possibility is relatively small, because creating a new service or editing an existing service requires the administrator or serversOperators identity by default, and the malicious user of this identity has enough ability to do his bad things. It is no longer necessary to guess the service password.

You may want the corresponding workstation to automatically start a password-protected screen saver when a user leaves his computer. When a user comes back to unlock, Windows Just think of this unlocking operation as a type 7 login, a failed type 7 login indicating that someone has entered the wrong password or someone is trying to unlock the computer.

This login indicates that this is a network login like Type 3, but the password for this login is transmitted in clear text over the network. The Windows Server service does not allow connection to shared folders or printers through plain text authentication. As far as I know, this type of login is only available when logging in from an ASP script using Advapi or a user logging in to IIS using basic authentication. Advapi will be listed in the "Login Process" column.

When you run a program using the RUNAS command with the /Netonly parameter, RUNAS runs it as the local current logged in user, but if this program requires When connecting to other computers on the network, the user specified in the RUNAS command will be connected at this time, and Windows will record this login as type 9. If the RUNAS command does not have the /Netonly parameter, then the program will The specified user is running, but the login type in the log is 2.

When you access your computer through Terminal Services, Remote Desktop or Remote Assistance, Windows will be logged as type 10 to log in with the real console. Differentiated, note that the previous version of XP does not support this type of login. For example, Windows 2000 will still record Terminal Services login as type 2.

Windows supports a feature called cache login, which is especially beneficial for mobile users, such as you are outside your own network. This feature is used when a user logs in and cannot log in to the domain controller. By default, Windows caches the credentials of the last 10 interactive domain logins. If you log in as a domain user later, no domain controllers are available. Windows will use these HASH to verify your identity.

The above describes the login type of Windows, but by default Windows2000 does not record security logs. You must first enable Group Policy under "Computer Configuration /Windows Settings /Security Settings /Local Policies /Audit Policies" "Audit Login Event" can see the record information above. I hope that these detailed records will help you better understand the system and maintain network stability.