Windows login type resolution

If you pay attention to the security log of the Windows system, you will find in the event description that the "login type" is not all the same, in addition to the interactive login on the keyboard (login type 1) Are there other types?

Yes, in order for Windows to get more valuable information from the logs, it breaks down a variety of login types so that you can distinguish whether the logged in user is logged in locally or from the network, and More other ways to log in. Knowing these login methods will help you to find suspicious hacks from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows.

Login Type 2: Interactive Login (Interactive)

This should be your first login method. The so-called interactive login means the user is on the computer. The login on the console, which is the login on the local keyboard, but don't forget that logging in via KVM is still an interactive login, although it is web-based.

Login Type 3: Network

When you access a computer from the network, in most cases Windows is type 3, the most common The situation is when connecting to a shared folder or sharing a printer. In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below.

Login Type 4: Batch (Batch)

When Windows runs a scheduled task, “ Scheduled Task Service will create a new one for this task first. Login session so that it can run under the user account configured by this scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, it can also A type 4 login event is generated at the beginning of the work. A type 4 login usually indicates that a scheduled task is started, but it may also be a malicious user guessing the user's password through a scheduled task. This attempt will generate a type 4 login failure event, but This failed login may also be caused by a failure to synchronize changes to the user password of the scheduled task, such as a change in the user's password and a change in the scheduled task.

Login Type 5: Service

Similar to scheduled tasks, each service is configured to run under a specific user account, when a service Initially, Windows first creates a login session for this particular user, which will be recorded as type 5, and failure type 5 usually indicates that the user's password has changed and is not updated here, although this may also be the password of the malicious user. Guessing, but this possibility is relatively small, because creating a new service or editing an existing service requires an administrator or serversoperators by default, and a malicious user of this identity already has sufficient capabilities. To do his bad things, it is no longer necessary to guess the service password.

Previous 12 Next Total 2 Pages