If you pay attention to the security log of the Windows system, in the event description you will find that the "login type" is not all the same, in addition to the interactive login on the keyboard (login type 1) Are there other types?
Yes, Windows allows you to get more valuable information from the logs. It subdivides a wide variety of login types so that you can distinguish whether the logged in user is logged in locally or from the network, and More other ways to log in. Knowing these login methods will help you to find suspicious hacks from the event log and be able to determine how they are attacking. Let's take a closer look at the login type of Windows.
Login Type 2: Interactive Login (Interactive)
This should be your first login method. The so-called interactive login refers to the login that the user performs on the console of the computer. That is, login on the local keyboard, but don't forget that logging in via KVM is still an interactive login, although it is web-based.
Login Type 3: Network
When you access a computer from the network, in most cases Windows is type 3, the most common case is to connect to the share. When you folder or share a printer. In most cases, logging in to IIS over the network is also noted as this type, but the basic authentication method for IIS login is an exception, it will be recorded as type 8, as described below.
Login Type 4: Batch (Batch)
When Windows runs a scheduled task, “ Scheduled Task Service will create a new login session for this task so that it can Run under the user account configured by this scheduled task. When this login occurs, Windows is recorded as type 4 in the log. For other types of work task systems, depending on its design, it can also generate types when starting work. 4 login event, type 4 login usually indicates that a scheduled task starts, but it may also be a malicious user guessing the user password through the scheduled task. This attempt will generate a type 4 login failure event, but this failed login may also This is because the user password for the scheduled task has not been changed synchronously, such as the user password has changed, and forgot to make changes in the scheduled task.
Login Type 5: Service
Similar to scheduled tasks, each service is configured to run under a specific user account. When a service starts, Windows first This particular user creates a login session, which will be recorded as type 5, and a failed type 5 usually indicates that the user's password has changed and has not been updated here, although this may also be caused by a malicious user's password guess, but this The possibility is relatively small, because creating a new service or editing an existing service requires the administrator or serversoperators identity by default, and the malicious user of this identity has enough ability to do his bad things. It is no longer necessary to guess the service password.
Logon Type 7: automatically starts the corresponding workstation a password-protected screen saver unlock (Unlock)
You may want when a user leaves his computer, when a When the user comes back to unlock, Windows considers this unlocking operation to be a type 7 login. A failed type 7 login indicates that someone entered the wrong password or someone is trying to unlock the computer.
Login Type 8: NetworkCleartext
This login indicates that this is a network login like Type 3, but the password for this login is transmitted in clear text over the network. The Windows Server service does not allow connection to shared folders or printers through plain text authentication. As far as I know, this type of login is only available when logging in from an ASP script using Advapi or a user logging in to IIS using basic authentication. The Advapi will be listed in the "Login Process" column.
Login Type 9: NewCredentials
When you run a program using the RUNAS command with the /Netonly parameter, RUNAS runs it as the local current logged in user, but if this program requires When connecting to other computers on the network, the user specified in the RUNAS command will be connected at this time, and Windows will record this login as type 9. If the RUNAS command does not have the /Netonly parameter, then the program will The specified user is running, but the login type in the log is 2.
Login Type 10: Remote Interactive (RemoteInteractive)
When you access your computer through Terminal Services, Remote Desktop or Remote Assistance, Windows will be logged as type 10 to log in with the real console. Differentiated, note that the previous version of XP does not support this type of login. For example, Windows 2000 will still record Terminal Services login as type 2.
Login Type 11: Cached Interaction (CachedInteractive)
Windows supports a feature called cache login, which is especially beneficial for mobile users, such as you are outside your own network. This feature is used when a user logs in and cannot log in to the domain controller. By default, Windows caches the credentials of the last 10 interactive domain logins. If you log in as a domain user later, no domain controllers are available. Windows will use these HASH to verify your identity.
The above describes the login type of Windows, but by default Windows2000 does not record security logs. You must first enable Group Policy Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy” Under "“ Audit Login Event" to see the above record information. I hope that these detailed records will help you better understand the system and maintain network stability.
Logon Type 7: Unlock (Unlock)
You may want when a user leaves his computer automatically starts the corresponding workstation a password-protected screensaver When a user comes back to unlock, Windows considers this unlocking operation to be a type 7 login. A failed type 7 login indicates that someone has entered the wrong password or someone is trying to unlock the computer.
Login Type 8: NetworkCleartext
This login indicates that this is a network login like Type 3, but the password for this login is transmitted in clear text over the network. The Windows Server service does not allow connection to shared folders or printers through plain text authentication. As far as I know, this type of login is only available when logging in from an ASP script using Advapi or a user logging in to IIS using basic authentication. The Advapi will be listed in the "Login Process" column.
Login Type 9: NewCredentials
When you run a program using the RUNAS command with the /Netonly parameter, RUNAS runs it as the local current logged in user, but if this program requires When connecting to other computers on the network, the user specified in the RUNAS command will be connected at this time, and Windows will record this login as type 9. If the RUNAS command does not have the /Netonly parameter, then the program will The specified user is running, but the login type in the log is 2.
Login Type 10: Remote Interactive (RemoteInteractive)
When you access your computer through Terminal Services, Remote Desktop or Remote Assistance, Windows will be logged as type 10 to log in with the real console. Differentiated, note that the previous version of XP does not support this type of login. For example, Windows 2000 will still record Terminal Services login as type 2.
Login Type 11: Cached Interaction (CachedInteractive)
Windows supports a feature called cache login, which is especially beneficial for mobile users, such as you are outside your own network. This feature is used when a user logs in and cannot log in to the domain controller. By default, Windows caches the credentials of the last 10 interactive domain logins. If you log in as a domain user later, no domain controllers are available. Windows will use these HASH to verify your identity.
The above describes the login type of Windows, but by default Windows2000 does not record security logs. You must first enable Group Policy Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy” Under "“ Audit Login Event" to see the above record information. I hope that these detailed records will help you better understand the system and maintain network stability.
Many times, because we accidentally deleted the files that were not used at the time and cle
If your colleague (or leader, huh, huh) is not very good at taking down too long a password,
Have you considered upgrading your computer to Windows XP now? If you are thinking about thi
Are you tired of facing the constant folder icon and blank background every day? Do you want to chan
Chinese version of Win XP can also install the latest SP2
Tips: Another way to achieve Win XP automatic maintenance
How to implement simple optimization of Windows XP
Nine tips to improve XP running speed 100%
Ways to make Windows XP run faster and more stable
How to restore the file file after emptying the recycle bin
Slimming Windows XP System Installation CD
Windows XP "crash" also plays personality
How to use Windows 8's own system recovery function to restore the system
YY browser how to remove advertising YY browser to remove advertising method
How to create a broadband connection under Windos XP
How to completely uninstall the office?
How Windows XP configures IPv4 as IPv6
Unique features with Win7 Disable USB auto-install driver
Solve the boot problem of Linux and Windows dual system
Win7 computer housekeeper how to solve QQ can not be installed
Solve the WIN7 right-click menu and lose the "new BMP image"