ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs with successful logon events on a cybersecurity monitoring dashboard
Event ID 4624InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4624 – Microsoft-Windows-Security-Auditing: An Account Was Successfully Logged On

Event ID 4624 records successful user authentication attempts in Windows. This security audit event fires whenever a user, service, or computer account successfully logs on to the system, providing detailed logon session information.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
17 March 202612 min read 1
Event ID 4624Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4624 represents a successful authentication event in Windows security auditing. When Windows validates credentials and grants access to a user, service, or computer account, the Local Security Authority generates this event to document the successful logon session creation. The event contains detailed information about the authentication process, including the subject (the account requesting authentication), the target account being authenticated, logon type classification, and network information when applicable.

The event structure includes multiple fields that provide context about the authentication. The Subject section identifies the account that requested the logon (often SYSTEM for service logons), while the New Logon section details the account that was actually authenticated. The Logon Type field categorizes the authentication method, ranging from interactive desktop logons (Type 2) to network logons (Type 3) and service logons (Type 5). Process information identifies the executable that initiated the logon request, and network information captures source IP addresses and workstation names for remote authentications.

This event is crucial for security monitoring because it provides a complete audit trail of successful access to Windows systems. Security teams use 4624 events to establish baselines of normal authentication patterns, detect anomalous logon behavior, and investigate security incidents. The event's comprehensive metadata enables correlation with other security events to build complete pictures of user and system activity across enterprise environments.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Interactive user logon at the console or through Remote Desktop Protocol (RDP)
  • Network authentication when accessing shared resources, file shares, or network services
  • Service account authentication during service startup or scheduled task execution
  • Batch job execution using RunAs or scheduled task credentials
  • Unlock workstation events after screen saver or lock screen activation
  • Fast User Switching between different user accounts on the same system
  • Smart card or certificate-based authentication processes
  • Windows Hello biometric authentication (fingerprint, face recognition, PIN)
  • Single Sign-On (SSO) authentication through Active Directory or Azure AD
  • Application-specific authentication using stored credentials or service principals
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Open Event Viewer and navigate to Windows LogsSecurity to examine Event ID 4624 details.

  1. Press Win + R, type eventvwr.msc, and press Enter
  2. Expand Windows Logs and click Security
  3. In the Actions pane, click Filter Current Log
  4. Enter 4624 in the Event IDs field and click OK
  5. Double-click any 4624 event to view detailed information

Key fields to examine:

  • Subject: Account that requested the logon
  • New Logon: Account that was authenticated
  • Logon Type: Method of authentication (2=Interactive, 3=Network, 5=Service, etc.)
  • Logon Process: Authentication package used
  • Source Network Address: IP address of the source system
  • Workstation Name: Name of the computer initiating the logon
Pro tip: Use the XML view tab to see all event data in a structured format for easier analysis.
02

Filter and Analyze Logon Events with PowerShell

Use PowerShell to query and analyze Event ID 4624 events with advanced filtering capabilities.

# Get recent successful logon events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 50 | 
    Select-Object TimeCreated, Id, LevelDisplayName, Message

Filter by specific logon types:

# Filter for interactive logons only (Type 2)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624}
$Events | Where-Object {
    ([xml]$_.ToXml()).Event.EventData.Data | 
    Where-Object {$_.Name -eq 'LogonType' -and $_.'#text' -eq '2'}
} | Select-Object TimeCreated, Message

Extract specific event data fields:

# Parse event data into custom objects
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 100
$LogonEvents | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $eventData = $xml.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        TargetUserName = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        LogonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
        IpAddress = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
        WorkstationName = ($eventData | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
    }
} | Format-Table -AutoSize
Pro tip: Save filtered results to CSV for further analysis: | Export-Csv -Path "C:\Temp\Logon_Events.csv" -NoTypeInformation
03

Configure Advanced Audit Policies for Enhanced Logging

Optimize audit policy settings to capture the most relevant logon events while managing log volume.

Check current audit policy settings:

# View current logon audit settings
auditpol /get /subcategory:"Logon"

Configure audit policies through Group Policy:

  1. Open Group Policy Management Console (gpmc.msc)
  2. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Audit PoliciesLogon/Logoff
  4. Configure Audit Logon to Success (and optionally Failure)

Set audit policies via command line:

# Enable success and failure auditing for logon events
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Configure Security log size and retention:

  1. Open Event ViewerWindows LogsSecurity
  2. Right-click Security and select Properties
  3. Set Maximum log size to appropriate value (e.g., 1 GB)
  4. Choose retention method: Archive the log when full or Overwrite events as needed
Warning: Enabling failure auditing can generate significant log volume in environments with authentication issues.
04

Implement Automated Monitoring and Alerting

Create automated monitoring solutions to track suspicious logon patterns and generate alerts for security incidents.

Create a PowerShell script for continuous monitoring:

# Monitor for unusual logon patterns
$StartTime = (Get-Date).AddHours(-1)
$SuspiciousLogons = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624
    StartTime=$StartTime
} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $eventData = $xml.Event.EventData.Data
    $logonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
    $ipAddress = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
    $userName = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
    
    # Flag suspicious patterns
    if ($logonType -eq '3' -and $ipAddress -notmatch '^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)') {
        [PSCustomObject]@{
            Time = $_.TimeCreated
            User = $userName
            Type = $logonType
            SourceIP = $ipAddress
            Suspicious = 'External Network Logon'
        }
    }
} | Where-Object {$_.Suspicious}

if ($SuspiciousLogons) {
    $SuspiciousLogons | Format-Table
    # Send alert email or write to monitoring system
}

Set up Windows Task Scheduler for automated execution:

  1. Open Task Scheduler (taskschd.msc)
  2. Click Create Basic Task in the Actions pane
  3. Name the task "Logon Event Monitor" and set appropriate trigger (e.g., every 15 minutes)
  4. Set action to start PowerShell with your monitoring script
  5. Configure task to run with appropriate permissions

Use Windows Event Forwarding for centralized collection:

# Configure event forwarding subscription
wecutil cs subscription.xml

# Example subscription XML content:
# <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
#   <SubscriptionId>LogonEvents</SubscriptionId>
#   <Query><![CDATA[<QueryList><Query Id="0"><Select Path="Security">*[System[EventID=4624]]</Select></Query></QueryList>]]></Query>
# </Subscription>
Pro tip: Integrate with SIEM solutions like Microsoft Sentinel or Splunk for enterprise-scale monitoring and correlation.
05

Advanced Forensic Analysis and Correlation

Perform comprehensive forensic analysis by correlating Event ID 4624 with related security events for incident investigation.

Correlate with logoff events (4634) to track session duration:

# Find matching logon/logoff pairs
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 100
$LogoffEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4634} -MaxEvents 100

$SessionAnalysis = foreach ($logon in $LogonEvents) {
    $logonXml = [xml]$logon.ToXml()
    $logonData = $logonXml.Event.EventData.Data
    $logonId = ($logonData | Where-Object {$_.Name -eq 'TargetLogonId'}).'#text'
    $userName = ($logonData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
    
    $matchingLogoff = $LogoffEvents | Where-Object {
        $logoffXml = [xml]$_.ToXml()
        $logoffData = $logoffXml.Event.EventData.Data
        $logoffId = ($logoffData | Where-Object {$_.Name -eq 'TargetLogonId'}).'#text'
        $logoffId -eq $logonId
    } | Select-Object -First 1
    
    [PSCustomObject]@{
        User = $userName
        LogonTime = $logon.TimeCreated
        LogoffTime = if ($matchingLogoff) { $matchingLogoff.TimeCreated } else { 'Still Active' }
        SessionDuration = if ($matchingLogoff) { 
            New-TimeSpan -Start $logon.TimeCreated -End $matchingLogoff.TimeCreated 
        } else { 'Ongoing' }
        LogonId = $logonId
    }
}

$SessionAnalysis | Format-Table -AutoSize

Analyze authentication patterns and detect anomalies:

# Detect unusual logon times or frequencies
$TimeWindow = (Get-Date).AddDays(-7)
$RecentLogons = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624
    StartTime=$TimeWindow
}

# Group by user and analyze patterns
$UserPatterns = $RecentLogons | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $eventData = $xml.Event.EventData.Data
    [PSCustomObject]@{
        User = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        Time = $_.TimeCreated
        Hour = $_.TimeCreated.Hour
        DayOfWeek = $_.TimeCreated.DayOfWeek
        LogonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
        SourceIP = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
    }
} | Group-Object User

# Identify users with unusual patterns
foreach ($userGroup in $UserPatterns) {
    $user = $userGroup.Name
    $logons = $userGroup.Group
    
    # Check for off-hours activity (before 6 AM or after 10 PM)
    $offHoursLogons = $logons | Where-Object {$_.Hour -lt 6 -or $_.Hour -gt 22}
    
    if ($offHoursLogons) {
        Write-Host "ALERT: User $user has off-hours logons:" -ForegroundColor Red
        $offHoursLogons | Format-Table Time, LogonType, SourceIP
    }
}

Export comprehensive forensic report:

# Generate detailed forensic report
$ForensicReport = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 1000 | 
ForEach-Object {
    $xml = [xml]$_.ToXml()
    $eventData = $xml.Event.EventData.Data
    [PSCustomObject]@{
        EventTime = $_.TimeCreated
        EventID = $_.Id
        SubjectUserName = ($eventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        TargetUserName = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        LogonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
        LogonProcessName = ($eventData | Where-Object {$_.Name -eq 'LogonProcessName'}).'#text'
        AuthenticationPackageName = ($eventData | Where-Object {$_.Name -eq 'AuthenticationPackageName'}).'#text'
        WorkstationName = ($eventData | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
        SourceNetworkAddress = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
        SourcePort = ($eventData | Where-Object {$_.Name -eq 'IpPort'}).'#text'
    }
}

$ForensicReport | Export-Csv -Path "C:\Forensics\Logon_Analysis_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv" -NoTypeInformation
Warning: Large-scale forensic analysis can consume significant system resources. Run during maintenance windows when possible.

Overview

Event ID 4624 is one of the most frequently generated security audit events in Windows environments. This event fires every time a successful authentication occurs on the system, whether it's an interactive desktop logon, network authentication, service startup, or scheduled task execution. The event captures comprehensive details about the authentication process, including the account name, logon type, source workstation, and authentication package used.

This event appears in the Security log and is generated by the Local Security Authority (LSA) subsystem. Each 4624 event corresponds to a new logon session being established on the system. The event provides forensic investigators and system administrators with crucial information for tracking user activity, identifying unauthorized access attempts that succeeded, and understanding authentication patterns across the network.

Understanding Event ID 4624 is essential for security monitoring, compliance auditing, and incident response. The event's rich metadata allows administrators to distinguish between different types of logons, track service account activity, and correlate authentication events with other system activities for comprehensive security analysis.

Frequently Asked Questions

What does Event ID 4624 mean and why is it important for security monitoring?+
Event ID 4624 indicates a successful user authentication to a Windows system. It's generated every time credentials are validated and a new logon session is created. This event is crucial for security monitoring because it provides a complete audit trail of who accessed the system, when they logged in, how they authenticated (interactive, network, service), and from where they connected. Security teams use these events to establish baseline authentication patterns, detect unauthorized access, investigate security incidents, and ensure compliance with audit requirements. The event contains rich metadata including logon type, source IP address, authentication method, and session details that enable comprehensive security analysis.
How do I distinguish between different types of logons in Event ID 4624?+
The Logon Type field in Event ID 4624 categorizes different authentication methods. Key logon types include: Type 2 (Interactive) for console or RDP logons, Type 3 (Network) for accessing shared resources, Type 4 (Batch) for scheduled tasks, Type 5 (Service) for service account authentication, Type 7 (Unlock) for workstation unlock events, Type 8 (NetworkCleartext) for IIS authentication, Type 9 (NewCredentials) for RunAs operations, Type 10 (RemoteInteractive) for Terminal Services, and Type 11 (CachedInteractive) for cached credential logons. Understanding these types helps administrators identify the context of authentication events and focus on relevant security scenarios. For example, Type 3 logons from external IP addresses might indicate potential lateral movement, while unexpected Type 2 logons could suggest unauthorized physical or remote access.
Why am I seeing so many Event ID 4624 entries and how can I manage the volume?+
High volumes of Event ID 4624 events are normal in active Windows environments because the event fires for every successful authentication, including user logons, service startups, scheduled tasks, and network resource access. To manage volume effectively, configure audit policies to focus on relevant logon types, increase Security log size to prevent event loss, implement log rotation or archiving strategies, and use filtering to focus on suspicious patterns. Consider excluding routine service account logons from alerts while maintaining full logging for compliance. Use PowerShell filtering to analyze specific timeframes, users, or logon types rather than reviewing all events. For enterprise environments, implement centralized logging with SIEM solutions that can correlate events and reduce noise through intelligent filtering and baseline analysis.
How can I use Event ID 4624 to detect potential security threats?+
Event ID 4624 can reveal several security threats when analyzed properly. Look for logons from unusual locations (external IP addresses), off-hours authentication (outside normal business hours), multiple rapid logons from different locations (impossible travel), service account interactive logons (Type 2), privileged account network logons from unexpected sources, and authentication using unusual processes or packages. Correlate 4624 events with failed logon attempts (4625) to identify successful attacks after brute force attempts. Monitor for logons immediately following privilege escalation events or system changes. Use baseline analysis to identify deviations from normal authentication patterns for each user. Implement automated alerting for high-risk scenarios like administrator account logons from new locations or service accounts used for interactive sessions.
What information should I collect from Event ID 4624 for incident response and forensics?+
For comprehensive incident response, collect the complete event data including timestamp, target username, subject username (account requesting logon), logon type, source network address, workstation name, logon process name, authentication package, logon GUID, and process information. Correlate with related events like 4625 (failed logons), 4634 (logoffs), 4648 (explicit credential use), and 4672 (special privileges assigned). Document session duration by matching logon/logoff pairs, identify concurrent sessions for the same user, track privilege escalation events, and analyze authentication patterns over time. Export filtered event data to CSV or JSON for analysis tools, preserve original event logs for legal requirements, and create timeline analysis showing user activity progression. Include network context like DNS resolution of source IPs and geolocation data to build complete attack narratives.
Documentation

References (2)

1
Microsoft Security Auditing Events - Event 4624Official Microsoft documentation detailing Event ID 4624 structure, fields, and security implicationshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
2
Advanced Security Audit Policy SettingsComprehensive guide to configuring Windows audit policies for optimal security monitoringhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4624#security-auditing#authentication-monitoring

Related Windows Events

Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min
Windows Event Viewer displaying security audit logs with Event ID 4634 logoff events on a SOC monitoring dashboard
Event 4634
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off

Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.

March 1812 min
Windows Event Viewer Security log displaying Event ID 4723 password change audit entries on a cybersecurity monitoring dashboard
Event 4723
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4723 – Microsoft-Windows-Security-Auditing: User Account Password Change Attempt

Event ID 4723 logs when a user attempts to change another user's password. This security audit event tracks administrative password reset operations and helps monitor unauthorized password modifications across Windows domains.

March 1712 min
Security analyst monitoring Windows Event ID 4625 failed logon events in a cybersecurity operations center
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting brute force attacks, credential issues, and unauthorized access attempts across domain and local accounts.

March 1712 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...