ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs with Event ID 4634 logoff events on a SOC monitoring dashboard
Event ID 4634InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off

Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4634Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4634 represents a fundamental component of Windows security auditing infrastructure. When a user session terminates, Windows Security Auditing subsystem generates this event to maintain comprehensive audit trails of user activities. The event captures the moment when authentication tokens are invalidated and user sessions are formally closed.

The event structure includes several key fields: Subject Security ID identifies the account being logged off, Logon Type indicates how the user originally authenticated (interactive, network, service, etc.), and Logon ID provides a unique session identifier that correlates with the corresponding 4624 logon event. This correlation capability makes 4634 events invaluable for session duration analysis and security investigations.

In enterprise environments, 4634 events generate significant log volume, especially on terminal servers and domain controllers. The event fires for both successful and forced logoffs, including those triggered by Group Policy settings, administrative actions, or system shutdowns. Modern Windows versions in 2026 have enhanced the event with additional context fields for cloud-integrated scenarios and hybrid identity environments.

Security teams use 4634 events to detect anomalous logoff patterns, such as unusually short sessions that might indicate automated attacks or compromised accounts. The event also supports compliance requirements for tracking user access duration and maintaining detailed audit logs for regulatory purposes.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User explicitly logs off through Start menu or Ctrl+Alt+Del
  • Remote Desktop session disconnection or termination
  • System shutdown or restart initiated by user or administrator
  • Session timeout due to inactivity policies
  • Administrative forced logoff using tools like logoff.exe or PowerShell
  • Group Policy enforced session limits or logon hours restrictions
  • Service account logoff after completing scheduled tasks
  • Network authentication session expiration
  • Terminal Services session limit enforcement
  • System crash or unexpected shutdown
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific 4634 event details to understand the logoff context:

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4634 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4634 in the Event IDs field and click OK
  5. Double-click a 4634 event to view details including:
    • Subject Security ID: The account that logged off
    • Logon Type: How the user originally authenticated
    • Logon ID: Unique session identifier for correlation
  6. Note the timestamp and compare with corresponding 4624 logon events to determine session duration
Pro tip: Use the Logon ID to correlate 4634 logoff events with their corresponding 4624 logon events for complete session analysis.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze 4634 events across multiple systems:

  1. Open PowerShell as Administrator
  2. Query recent logoff events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4634} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='LogonType';Expression={$_.Properties[4].Value}}
  3. Filter events for specific users:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4634} | Where-Object {$_.Properties[1].Value -like '*username*'} | Format-Table TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}} -AutoSize
  4. Analyze logoff patterns over time:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4634; StartTime=(Get-Date).AddDays(-7)} | Group-Object @{Expression={$_.TimeCreated.Date}} | Select-Object Name, Count | Sort-Object Name
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4634} -MaxEvents 1000 | Export-Csv -Path "C:\Logs\Logoff_Events.csv" -NoTypeInformation
Pro tip: Combine 4634 queries with 4624 events using the Logon ID field to calculate exact session durations.
03

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture comprehensive logoff events:

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Audit PoliciesLogon/Logoff
  4. Configure Audit Logoff policy:
    • Right-click and select Properties
    • Check Configure the following audit events
    • Enable Success to capture normal logoffs
    • Enable Failure if investigating forced disconnections
  5. Verify current audit settings via command line:
    auditpol /get /subcategory:"Logoff"
  6. Apply settings and force Group Policy update:
    gpupdate /force
  7. Test configuration by logging off and checking for new 4634 events
Warning: Enabling comprehensive audit policies increases log volume significantly. Ensure adequate log storage and retention policies.
04

Correlate with System Performance Data

Investigate unusual logoff patterns by correlating 4634 events with system performance metrics:

  1. Open Performance Monitor (perfmon.msc) to check system resource usage during logoff times
  2. Create a custom Data Collector Set:
    • Right-click User DefinedNewData Collector Set
    • Add counters for Memory, Processor, and Network utilization
    • Set collection interval to 1 second for detailed analysis
  3. Query 4634 events with system context:
    $LogoffEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4634; StartTime=(Get-Date).AddHours(-1)}
foreach ($Event in $LogoffEvents) {
    $SystemLog = Get-WinEvent -FilterHashtable @{LogName='System'; StartTime=$Event.TimeCreated.AddMinutes(-2); EndTime=$Event.TimeCreated.AddMinutes(2)}
    Write-Output "Logoff at $($Event.TimeCreated): $($SystemLog.Count) system events nearby"
}
  4. Check for related system events around logoff times:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1074,6005,6006,6008} | Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-1)} | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  5. Analyze Terminal Services events for RDP logoffs:
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id=21,23,24,25} -MaxEvents 100
05

Implement Automated Monitoring and Alerting

Set up automated monitoring for suspicious logoff patterns using Windows Event Forwarding and PowerShell:

  1. Configure Windows Event Forwarding on collector server:
    wecutil qc /q
winrm quickconfig -q
  2. Create custom event subscription for 4634 events:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Logoff-Monitoring</SubscriptionId>
  <Query>
    <Select Path="Security">*[System[EventID=4634]]</Select>
  </Query>
</Subscription>
  3. Deploy PowerShell monitoring script:
    Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 4634" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    if ($Event.User -match 'Administrator|Domain Admin') {
        Send-MailMessage -To 'security@company.com' -Subject 'Admin Logoff Alert' -Body "Admin logoff detected: $($Event.User) at $($Event.TimeGenerated)"
    }
}
  4. Configure registry settings for enhanced logging:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "AuditBaseObjects" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "FullPrivilegeAuditing" -Value 1
  5. Create scheduled task for daily logoff analysis:
    $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\LogoffAnalysis.ps1'
$Trigger = New-ScheduledTaskTrigger -Daily -At '06:00AM'
Register-ScheduledTask -TaskName 'Daily Logoff Analysis' -Action $Action -Trigger $Trigger
Pro tip: Use SIEM integration to correlate 4634 events with other security events for comprehensive threat detection.

Overview

Event ID 4634 fires whenever a user account logs off from a Windows system, whether through explicit logoff, session timeout, or system shutdown. This security audit event appears in the Security log and serves as the counterpart to Event ID 4624 (successful logon). The event captures critical details including the user account, logon type, and session duration.

This event is essential for security monitoring, compliance auditing, and user activity tracking. System administrators rely on 4634 events to understand user session patterns, investigate security incidents, and maintain audit trails. The event fires for all logon types including interactive, network, service, and remote desktop sessions.

Windows generates this event automatically when audit policy for "Audit Logon Events" is enabled. The event provides forensic value by correlating with logon events to establish complete user session timelines. Understanding 4634 patterns helps identify unusual logoff behaviors, forced disconnections, and potential security issues.

Frequently Asked Questions

What does Event ID 4634 mean and when does it occur?+
Event ID 4634 indicates that a user account has been logged off from a Windows system. This security audit event occurs whenever a user session terminates, whether through explicit logoff, session timeout, system shutdown, or administrative action. The event is generated by the Microsoft-Windows-Security-Auditing source and appears in the Security log. It serves as the counterpart to Event ID 4624 (successful logon) and is essential for tracking user session lifecycles, security monitoring, and compliance auditing.
How can I correlate Event ID 4634 with the corresponding logon event?+
Use the Logon ID field present in both Event ID 4634 (logoff) and Event ID 4624 (logon) events to correlate them. The Logon ID is a unique hexadecimal value that remains consistent throughout a user session. You can query both events using PowerShell: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634} | Where-Object {$_.Properties[7].Value -eq '0x12345'} (replace with actual Logon ID). This correlation allows you to calculate session duration and analyze user activity patterns.
Why am I seeing multiple Event ID 4634 entries for the same user?+
Multiple 4634 events for the same user can occur due to several reasons: the user has multiple concurrent sessions (RDP, console, network authentication), different logon types are being tracked separately (interactive vs. network), service accounts are logging off after completing tasks, or the user is accessing multiple network resources that require separate authentication sessions. Each session type and authentication context generates its own logoff event. Check the Logon Type field in the event details to distinguish between different session types.
How do I reduce the volume of Event ID 4634 logs without losing security visibility?+
To manage 4634 log volume while maintaining security oversight: configure audit policies to focus on critical accounts only using Advanced Audit Policy Configuration, implement log filtering at the collection level to exclude service accounts or specific logon types, use Windows Event Forwarding to centralize logs and apply server-side filtering, configure log retention policies to automatically archive older events, and consider using SIEM solutions that can aggregate and analyze events efficiently. You can also exclude specific users or logon types using Group Policy audit settings or PowerShell filtering rules.
What should I investigate if Event ID 4634 shows unusual patterns or timing?+
Investigate unusual 4634 patterns by examining: session duration (very short sessions might indicate automated attacks), logoff timing (after-hours activity or rapid successive logoffs), correlation with system events (crashes, forced shutdowns), user behavior changes (different logon types or locations), and corresponding 4624 events to understand the complete session lifecycle. Check for related events like 4647 (user-initiated logoff), 4800/4801 (workstation lock/unlock), and system events 1074 (shutdown initiated). Use PowerShell to analyze patterns over time and compare against baseline user behavior to identify potential security incidents.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4634 and related logon/logoff eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies to control security event generationhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4634#security-auditing#user-logoff

Related Windows Events

Windows Security Event Viewer displaying Event ID 4625 authentication failure logs on a security monitoring dashboard
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting unauthorized access attempts, brute force attacks, and troubleshooting authentication issues across domain and local accounts.

March 1812 min
Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed
Event 4771
Microsoft-Windows-Security-Auditing
Windows EventWarning

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.

March 1812 min
Windows Security Event Viewer displaying authentication events on a SOC monitoring dashboard
Event 4648
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4648 – Microsoft-Windows-Security-Auditing: Logon Attempted Using Explicit Credentials

Event ID 4648 fires when a user or process attempts authentication using explicit credentials different from their current logon session, commonly seen with RunAs, network authentication, or service account operations.

March 1812 min
Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...