ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Event ID 4109 security logs on a professional monitoring dashboard
Event ID 4109InformationMicrosoft-Windows-WininitWindows

Windows Event ID 4109 – Microsoft-Windows-Wininit: User Logoff Notification

Event ID 4109 records user logoff events initiated by the Windows initialization process, providing audit trail for session termination and system security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4109Microsoft-Windows-Wininit 5 methods 12 min
Event Reference

What This Event Means

Event ID 4109 represents a critical component of Windows' security auditing system, specifically tracking user logoff operations initiated through the Windows initialization subsystem. When a user logs off from a Windows system, either voluntarily or through administrative action, the wininit process generates this event to maintain a comprehensive audit trail.

The event contains structured data including the target user's Security Identifier (SID), logon type, authentication package used, and the process responsible for initiating the logoff. This information proves invaluable for security analysts investigating user behavior patterns, compliance auditors tracking access controls, and system administrators monitoring session management.

In Windows Server environments, particularly those running Remote Desktop Services or Citrix virtualization platforms, Event ID 4109 becomes especially significant. These systems handle multiple concurrent user sessions, and tracking logoff events helps administrators understand resource utilization, identify session management issues, and maintain security compliance.

The event's timing correlation with other security events allows for sophisticated analysis of user activity chains. Security Information and Event Management (SIEM) systems frequently use Event ID 4109 as a key indicator for user session lifecycle tracking, helping detect anomalous logoff patterns that might indicate security incidents or system problems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal user-initiated logoff through Start menu or Ctrl+Alt+Del
  • Administrative forced logoff using Task Manager or PowerShell commands
  • System shutdown or restart procedures terminating active user sessions
  • Group Policy enforcement causing automatic user disconnection
  • Remote Desktop Services session timeout or administrative disconnection
  • Windows Update installations requiring user session termination
  • Security policy violations triggering automatic user logoff
  • Terminal Services or Citrix session management operations
  • Fast User Switching operations on multi-user systems
  • Service account logoff events during service restart operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4109 to understand the logoff context and identify any patterns.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4109 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4109 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4109 entries to examine details including:
    • Subject Security ID and Account Name
    • Logon Type (Interactive, Network, Service, etc.)
    • Authentication Package
    • Workstation Name
    • Process Information
  6. Note the timestamp patterns and frequency of logoff events
  7. Cross-reference with Event ID 4624 (logon) and 4634 (logoff) for complete session tracking
Pro tip: Use the Event Viewer's Custom Views feature to create a persistent filter for logoff-related events (4109, 4634, 4647) for easier monitoring.
02

PowerShell Analysis and Correlation

Use PowerShell to extract and analyze Event ID 4109 data for patterns, anomalies, and correlation with other security events.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4109 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4109} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Extract detailed event properties for analysis:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4109} -MaxEvents 100
$Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        UserSID = $Event.Event.EventData.Data[0].'#text'
        UserName = $Event.Event.EventData.Data[1].'#text'
        LogonType = $Event.Event.EventData.Data[4].'#text'
        ProcessName = $Event.Event.EventData.Data[9].'#text'
    }
} | Format-Table -AutoSize
  4. Correlate with logon events to track session duration:
    $LogoffEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4109} -MaxEvents 20
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 50

# Compare timestamps and user accounts for session analysis
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4109} -MaxEvents 1000 | Export-Csv -Path "C:\Temp\Event4109_Analysis.csv" -NoTypeInformation
Warning: Large Security logs can impact system performance. Use -MaxEvents parameter to limit query scope and consider running during maintenance windows.
03

Configure Advanced Audit Policies

Enhance Event ID 4109 logging by configuring advanced audit policies to capture more detailed logoff information and related security events.

  1. Open Local Group Policy Editor by running gpedit.msc
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies
  3. Configure Logon/Logoff audit subcategories:
    • Audit Logoff: Set to Success
    • Audit Logon: Set to Success and Failure
    • Audit Other Logon/Logoff Events: Set to Success and Failure
  4. Apply settings using command line for multiple systems:
    # Enable detailed logoff auditing
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
  5. Verify current audit policy settings:
    auditpol /get /category:"Logon/Logoff"
  6. Configure Security log size to accommodate increased logging:
    # Increase Security log size to 100MB
wevtutil sl Security /ms:104857600
  7. Test the configuration by performing a logoff and verifying Event ID 4109 appears with enhanced details
Pro tip: Use Group Policy Management Console to deploy audit policy changes across multiple domain-joined systems simultaneously.
04

Automated Monitoring and Alerting Setup

Implement automated monitoring for Event ID 4109 to detect unusual logoff patterns and potential security incidents.

  1. Create a PowerShell monitoring script:
    # Save as Monitor-Event4109.ps1
param(
    [int]$CheckIntervalMinutes = 15,
    [int]$AlertThreshold = 10
)

while ($true) {
    $StartTime = (Get-Date).AddMinutes(-$CheckIntervalMinutes)
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4109
        StartTime=$StartTime
    } -ErrorAction SilentlyContinue
    
    if ($Events.Count -gt $AlertThreshold) {
        $Message = "High logoff activity detected: $($Events.Count) Event ID 4109 entries in last $CheckIntervalMinutes minutes"
        Write-EventLog -LogName Application -Source "Custom Monitor" -EventId 1001 -EntryType Warning -Message $Message
        # Add email notification or SIEM integration here
    }
    
    Start-Sleep -Seconds ($CheckIntervalMinutes * 60)
}
  2. Register the script as a scheduled task:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-Event4109.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable

Register-ScheduledTask -TaskName "Monitor Event 4109" -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings
  3. Configure Windows Event Forwarding for centralized monitoring:
    # On collector server, create subscription
wecutil cs event4109-subscription.xml
  4. Create custom Windows Performance Toolkit (WPT) counters for logoff rate monitoring
  5. Integrate with existing SIEM solutions using Windows Event Forwarding or log shipping agents
  6. Set up dashboard visualization using tools like Grafana or Power BI for trend analysis
Warning: Continuous monitoring scripts can consume system resources. Test thoroughly in non-production environments and implement appropriate resource limits.
05

Forensic Analysis and Incident Response

Perform comprehensive forensic analysis of Event ID 4109 for security incident investigation and compliance reporting.

  1. Export comprehensive event data for analysis:
    # Export events with full XML details
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4109} -MaxEvents 5000
$DetailedEvents = $Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        EventId = $_.Id
        SubjectUserSid = $EventData[0].'#text'
        SubjectUserName = $EventData[1].'#text'
        SubjectDomainName = $EventData[2].'#text'
        SubjectLogonId = $EventData[3].'#text'
        LogonType = $EventData[4].'#text'
        ProcessId = $EventData[5].'#text'
        ProcessName = $EventData[6].'#text'
        IpAddress = $EventData[7].'#text'
        IpPort = $EventData[8].'#text'
    }
}
$DetailedEvents | Export-Csv -Path "C:\Forensics\Event4109_Detailed.csv" -NoTypeInformation
  2. Correlate with other security events for timeline reconstruction:
    # Create comprehensive logon/logoff timeline
$SecurityEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624,4634,4647,4109
    StartTime=(Get-Date).AddDays(-7)
} | Sort-Object TimeCreated

$SecurityEvents | Select-Object TimeCreated, Id, @{Name='EventType';Expression={
    switch ($_.Id) {
        4624 {'Logon'}
        4634 {'Logoff'}
        4647 {'User Initiated Logoff'}
        4109 {'Wininit Logoff'}
    }
}} | Export-Csv -Path "C:\Forensics\Security_Timeline.csv"
  3. Analyze logoff patterns for anomaly detection:
    # Statistical analysis of logoff patterns
$LogoffStats = $DetailedEvents | Group-Object SubjectUserName | ForEach-Object {
    $UserEvents = $_.Group | Sort-Object TimeCreated
    $TimeDiffs = for ($i = 1; $i -lt $UserEvents.Count; $i++) {
        ($UserEvents[$i].TimeCreated - $UserEvents[$i-1].TimeCreated).TotalMinutes
    }
    [PSCustomObject]@{
        UserName = $_.Name
        LogoffCount = $_.Count
        AvgTimeBetweenLogoffs = ($TimeDiffs | Measure-Object -Average).Average
        MinTimeBetweenLogoffs = ($TimeDiffs | Measure-Object -Minimum).Minimum
        MaxTimeBetweenLogoffs = ($TimeDiffs | Measure-Object -Maximum).Maximum
    }
}
$LogoffStats | Format-Table -AutoSize
  4. Generate compliance reports with proper chain of custody documentation
  5. Create incident response playbooks incorporating Event ID 4109 analysis procedures
  6. Document findings using standardized forensic reporting templates
Pro tip: Maintain separate forensic analysis environments to preserve evidence integrity and ensure admissibility in legal proceedings.

Overview

Event ID 4109 fires when the Windows initialization process (wininit.exe) records a user logoff event. This event appears in the Security log and serves as part of Windows' comprehensive audit trail for user session management. The event captures essential details about user logoff operations, including the user account, session type, and logoff reason.

This event typically occurs during normal user logoff procedures, system shutdowns, or when administrative actions force user disconnections. Windows generates this event as part of its security auditing framework, making it valuable for compliance monitoring and forensic investigations. The event provides correlation data that security teams use to track user activity patterns and identify potential security incidents.

System administrators rely on Event ID 4109 to monitor user session lifecycles, especially in enterprise environments where user activity tracking is critical for security policies. The event integrates with Windows' broader security logging infrastructure and appears alongside other logoff-related events like Event ID 4634 and 4647.

Frequently Asked Questions

What does Event ID 4109 specifically track compared to other logoff events?+
Event ID 4109 specifically tracks logoff events initiated by the Windows initialization process (wininit.exe), which differs from Event ID 4634 (standard logoff) and 4647 (user-initiated logoff). While 4634 records when a logon session is destroyed and 4647 captures user-initiated logoffs, Event ID 4109 focuses on logoffs processed through the Windows initialization subsystem. This typically occurs during system shutdown procedures, administrative forced logoffs, or when services terminate user sessions. The event provides unique correlation data that helps distinguish between different types of session termination scenarios.
Why am I seeing multiple Event ID 4109 entries for a single user logoff?+
Multiple Event ID 4109 entries for a single logoff can occur due to several factors. Windows may generate separate events for different session components being terminated, such as interactive desktop sessions, network connections, and service-related sessions. In Remote Desktop Services environments, you might see events for both the RDP session and underlying Windows session. Additionally, if a user has multiple concurrent sessions (through Fast User Switching or Terminal Services), each session termination generates its own Event ID 4109. Group Policy processing during logoff can also trigger additional events as different policy components complete their cleanup procedures.
How can I distinguish between normal and suspicious Event ID 4109 patterns?+
Normal Event ID 4109 patterns typically show regular timing aligned with business hours, consistent user accounts, and correlation with corresponding logon events. Suspicious patterns include: logoffs occurring at unusual hours without corresponding logons, rapid successive logoffs from the same account, logoffs from service accounts that shouldn't have interactive sessions, or logoffs from accounts that haven't been used recently. Additionally, logoffs without preceding logon events, or logoffs from multiple accounts simultaneously outside of scheduled maintenance windows, warrant investigation. Use baseline analysis over 30-90 days to establish normal patterns for your environment.
Can Event ID 4109 help detect lateral movement or privilege escalation attacks?+
Yes, Event ID 4109 can be valuable for detecting lateral movement and privilege escalation when analyzed with other security events. Attackers performing lateral movement often leave traces through unusual logoff patterns, such as service accounts logging off from workstations, administrative accounts with brief session durations across multiple systems, or logoffs from accounts that typically don't have interactive sessions. When correlated with Event IDs 4624 (logon), 4648 (explicit credential use), and 4672 (special privileges assigned), Event ID 4109 helps reconstruct attack timelines and identify compromised accounts moving between systems.
What should I do if Event ID 4109 is missing from my Security log?+
Missing Event ID 4109 entries typically indicate audit policy configuration issues. First, verify that 'Audit Logoff' is enabled in Advanced Audit Policy Configuration under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff. Use 'auditpol /get /subcategory:"Logoff"' to check current settings. Ensure the Security log has sufficient size and isn't being overwritten too quickly. Check if log forwarding or SIEM agents are consuming events faster than expected. In domain environments, verify that Group Policy isn't overriding local audit settings. Finally, confirm that the Windows Event Log service is running and that no third-party security software is filtering or redirecting security events.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including logoff tracking and audit policy configurationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy Settings ReferenceDetailed reference for configuring advanced audit policies to capture detailed logoff and security eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4109#windows-security#user-logoff

Related Windows Events

Windows Event Viewer displaying system initialization events during server boot process
Event 4096
Microsoft-Windows-Wininit
Windows EventInformation

Windows Event ID 4096 – Microsoft-Windows-Wininit: System Initialization Process Started

Event ID 4096 indicates the Windows initialization process (wininit.exe) has started during system boot. This informational event marks the beginning of critical system service initialization and user session preparation.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...