If you pay attention to the security logs of Windows systems, you will find that the "login types" in the event descriptions are not all the same. Is there any other type besides interactive login on the keyboard? Yes, Windows allows you to get more valuable information from the logs. It subdivides a wide variety of login types so that you can distinguish whether the logged in user is logged in locally, or logged in from the network, and more. . Knowing these login methods will help you to find suspicious hacks from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows. Login type 2: Interactive login (Interactive) This should be your first login method. The so-called interactive login refers to the login that the user performs on the console of the computer, that is, the login on the local keyboard, but Don't forget that logging in via KVM is still an interactive login, although it is web based. Login Type 3: Network When you access a computer from the network, in most cases Windows is type 3, the most common case is when connecting to a shared folder or shared printer. In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below. Login Type 4: Batch When Windows runs a scheduled task, the Scheduled Task Service will first create a new login session for this task so that it can run under the user account configured for this scheduled task. When a login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, it can also generate type 4 login events when starting work. Type 4 login usually indicates that a scheduled task starts. , but it may also be a malicious user guessing the user's password through a scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also be caused by the user password of the scheduled task not being synchronized. For example, the user password has changed and I forgot to make changes in the scheduled task. Login Type 5: Service is similar to scheduled tasks. Each service is configured to run under a specific user account. When a service starts, Windows first creates a login session for this particular user. This will be Recorded as type 5, the failed type 5 usually indicates that the user's password has changed and has not been updated here. Of course, this may be caused by the malicious user's password guess, but this possibility is relatively small because a new service is created. Or editing an existing service requires an administrator or servers operators by default, and a malicious user of this identity already has enough ability to do his bad thing, and has no need to guess the service password. . Login Type 7: Unlock You may want the corresponding workstation to automatically start a password-protected screen saver when a user leaves his computer. When a user comes back to unlock, Windows considers the unlock operation to be a type 7 Login, failed type 7 login indicates that someone entered the wrong password or someone is trying to unlock the computer. Login Type 8: NetworkCleartext This login indicates that this is a network login like Type 3, but the password for this login is transmitted in clear text over the network. Windows Server service is not allowed to connect to it through plain text authentication. Shared folders or printers, as far as I know, can only be this type of login when logging in from an ASP script using Advapi or a user logging in to IIS using basic authentication. Advapi will be listed in the "Login Process" column. Login Type 9: NewCredentials When you run a program using the RUNAS command with the /Netonly parameter, RUNAS runs it as the local current logged in user, but if the program needs to connect to other computers on the network, then The user specified in the RUNAS command will be connected, and Windows will record this login as type 9. If the RUNAS command does not have the /Netonly parameter, then the program will run as the specified user, but the login type in the log is 2. Login Type 10: RemoteInteractive When you access a computer through Terminal Services, Remote Desktop, or Remote Assistance, Windows will be typed as Type 10 to distinguish it from a real console login. Note that versions prior to XP do not support this. The login type, such as Windows 2000, still remembers Terminal Services login as type 2. Login Type 11: Cached Interaction (CachedInteractive) Windows supports a feature called cache login. This feature is especially beneficial for mobile users. For example, if you log in as a domain user outside your own network and cannot log in to the domain controller, you will use it. This feature, by default, Windows caches the credentials of the last 10 interactive domain logins. If you log in as a domain user and no domain controller is available, Windows will use these HASH to verify your identity. . The above describes the login type of Windows, but by default Windows 2000 does not record the security log. You must first enable the "Audit Login Event" under Group Policy "Computer Configuration /Windows Settings /Security Settings /Local Policies /Audit Policy". In order to see the record information above. I hope that these detailed records will help you better understand the system and maintain network stability.