Windows Security Log Event ID 4624
4624: An account was successfully logged on
On this page
- Description of this event
- Field level details
- Examples
- Discuss this event
- Mini-seminars on this event
This is a highly valuable event since it documents each and everysuccessful attemptto logon to the local computer regardless of logon type, location of the user or type of account. You can tie this event to logoff events 4634 and 4647 using Logon ID.
Win2012 adds the Impersonation Level field as shown in the example.
Win2016/10 add further fields explained below.
Free Security Log Resources by Randy
- Free Security Log Quick Reference Chart
- Windows Event Collection: Supercharger Free Edtion
- Free Active Directory Change Auditing Solution
- Free Course: Security Log Secrets
Identifies the account that requested the logon - NOT the user who just logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the sytem. Description Fields in 4624
Subject:
- Security ID
- Account Name
- Account Domain
- Logon ID
Logon Information:
- Logon Type: See below
Remaining logon information fields are new to Windows 10/2016
- Restricted Admin Mode:Normally "-"."Yes" for incoming Remote Desktop Connections where the client specified /restrictedAdmin on the command line. Restricted admin mode is an important way to limit the spread of admin credentials in ways they can be harvested by malware using pass-the-hash and related techniques. You should only see with for logon type 10. When you remote desktop into a server with /restrictedAdmin you get full authority on that server but it doesn't carry with you if you access other systems from within that RDP session. This field allows you to detect RDP sessions that fail to use restricted admin mode.
- Virtual Account:Normally "No". This will be Yes in the case of services configured to logon with a "Virtual Account". Virtual Accounts only come up in Service logon types (type 5), when Windows starts a logon session in connection with a service starting up. You can configure services to run as a virtual account which is what Microsoft calls a "managed local account". They're "domain" is "NT Service" as in an instance of MS SQL Server named Supercharger running asNT SERVICE\MSSQL$SUPERCHARGER.
- Elevated Token: Yes or No. It will be Yes if the user is a member of Administrators - kind of... The "kind of" applies to interactive logons, when you are an admin and you have User Account Control (UAC) enabled. Then when you logon you actually get 2 logon sessions. One without the Administrators SID and related privileges in your security token and another session with all that authority. Everything you do happens under the unprivileged logon session until you attempt to run something requiring admin authority. After you approve the UAC dialog box, Windows runs that one operation under the other logon sesson. So in the log you will see 2 of these events, one where this field is Yes and other No. The 2 logon sessions are connected by the Linked Logon ID described below.
Logon Type:
This is a valuable piece of information as it tells you HOW the user just logged on:
| Logon Type See Also When ITC for a purchase from a risky supplier has already been reversed, IGST refund claims cannot be denied - Faceless CompliancePC gamer: ¿Cuál es el mejor del 2022? - SINCABLEHP-Drucker unter Ubuntu 20.04 LTS › Drucken, Scannen, Faxen › Ubuntu verwenden › Forum › ubuntuusers.de30 Most Lucrative Skills You Can Learn Online - Online Course Report | Description |
| 2 | Interactive (logon at keyboard and screen of system) |
| 3 | Network (i.e. connection to shared folder on this computer from elsewhere on network) |
| 4 | Batch (i.e. scheduled task) |
| 5 | Service (Service startup) |
| 7 | Unlock (i.e. unnattended workstation with password protected screen saver) |
| 8 | NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. |
| 9 | NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections." |
| 10 | RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
| 11 | CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) |
Impersonation Level: (Win2012 and later)
From MSDN
| Anonymous | Anonymous COM impersonation level that hides the identity of the caller. Calls to WMI may fail with this impersonation level. |
| Default | Default impersonation. |
| Delegate | Delegate-level COM impersonation level that allows objects to permit other objects to use the credentials of the caller. This level, which will work with WMI calls but may constitute an unnecessary security risk, is supported only under Windows 2000. |
| Identify | Identify-level COM impersonation level that allows objects to query the credentials of the caller. Calls to WMI may fail with this impersonation level. |
| Impersonate | Impersonate-level COM impersonation level that allows objects to use the credentials of the caller. This is the recommended impersonation level for WMI calls. |
New Logon:
The user who just logged on is identified by the Account Name and Account Domain. You can determine whether the account is local or domain by comparing the Account Domain to the computer name. If they match, the account is a local account on that system, otherwise a domain account.
- Security ID: the SID of the account
- Account Name: Logon name of the account
- Account Domain: Domain name of the account in either the DNS name (can be upper or lowercase) or pre-Win2k NETBIOS domain name. In the case of special subjects (well known security principals) like SYSTEM, LOCAL SERVICE, NETWORK SERVICE, ANONYMOUS LOGON this field will be "NT AUTHORITY". It can also be "NT Service" as in the case of virtual accounts for services. See above. Finally, if the account is a local account, this field will be the name of the computer.
- Logon ID: a semi-unique (unique between reboots) number that identifies the logon session just initiated. Any events logged subsequently during this logon session will report the same Logon ID through to the logoff event 4647 or 4634.
- Linked Login ID: (Win2016/10) This is relevant to User Account Control and interactive logons. When an admin logs on interactively to a system with UAC enabled, Windows actually creates 2 logon sessions - one with and one without privilege. This is called a split token and this fields links the 2 sessions to each other. See Elevated Token above.
- Network Account Name: (Win2016/10) This appears to always be "-". It seems connected to LogonUser() withLOGON32_LOGON_NEW_CREDENTIALS but I've not been able to produce an example. If you have an event with this field filled in please open a forum posting on this page and let us see it.
- Network Account Domain: (Win2016/10) see above
- Logon GUID: Supposedly you should be able to correlate logon events on this computer with corresonding authentication events on the domain controller using this GUID.Such as linking 4624 on the member computer to 4769 on the DC. But the GUIDs do not match between logon events on member computers and the authentication events on the domain controller.
Process Information:
- Process ID is the process ID specified when the executable started as logged in 4688.
- Process Name: identifies the program executable that processed the logon. This is one of the trusted logon processes identified by 4611.
Network Information:
This section identifiesWHERE the user was when he logged on. Of course if logon is initiated from the same computer this information will either be blank or reflect the same local computers.
- Workstation Name: the computer name of the computer where the user is physically present in most cases unless this logon was intitiated by a server application acting on behalf of the user. Workstation may also not be filled in for some Kerberos logons since the Kerberos protocol doesn't really care about the computer account in the case of user logons and therefore lacks any field for carrying workstation name in the ticket request message.
- Source Network Address: the IP address of the computer where the user is physically present in most cases unless this logon was intitiated by a server application acting on behalf of the user. If this logon is initiated locally the IP address will sometimes be 127.0.0.1 instead of the local computer's actual IP address. This field is also blank sometimes because Microsoft says "Not every code path in Windows Server 2003is instrumented for IP address, so it's not always filled out."
- Source Port: identifies the source TCP port of the logon request which seems useless since with most protocolssource ports are random.
Detailed Authentication Information:
- Logon Process: (see 4611)CredPro indicates a logoninitiated by User Account Control
- Authentication Package: (see 4610 or 4622)
- Transited Services: This has to do with server applications that need to accept some other type of authentication from the client and then transition to Kerberos for accessing other resources on behalf of the client. See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/. MS says:Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/en-us/library/cc246072.aspx
- Package name: If this logon was authenticated via the NTLM protocol (instead of Kerberos for instance) this field tells you which version of NTLM was used. See security option "Network security: LAN Manager authentication level". This field only populated if Authentication Package = NTLM. Possible values:“NTLM V1”, “NTLM V2”, “LM”
- Key Length: Length of key protecting the "secure channel". See security option "Domain Member: Require strong (Windows 2000 or later) session key". If value is 0 this would indicate security option "Domain Member: Digitally encrypt secure channel data (when possible)" failed. MS saysthe length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package.
Setup PowerShell Audit Log Forwarding in 4 Minutes
Examples of 4624
Windows 10 and 2016
An account was successfully logged on.
Subject:
Security ID:SYSTEM
Account Name:DESKTOP-LLHJ389$
Account Domain:WORKGROUP
Logon ID:0x3E7
Logon Information:
Logon Type:7
Restricted Admin Mode:-
Virtual Account:No
Elevated Token:No
Impersonation Level:Impersonation
New Logon:
Security ID:AzureAD\RandyFranklinSmith
Account Name:rsmith@montereytechgroup.com
Account Domain:AzureAD
Logon ID:0xFD5113F
Linked Logon ID:0xFD5112A
Network Account Name:-
Network Account Domain:-
Logon GUID:{00000000-0000-0000-0000-000000000000}
Process Information:
Process ID:0x30c
Process Name:C:\Windows\System32\lsass.exe
Network Information:
Workstation Name:DESKTOP-LLHJ389
Source Network Address:-
Source Port:-
Detailed Authentication Information:
Logon Process:Negotiat
Authentication Package:Negotiate
Transited Services:-
Package Name (NTLM only):-
Key Length:0
Win2008
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: WIN-R9H529RIO4Y$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type:10
New Logon:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x19f4c
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4c0
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: WIN-R9H529RIO4Y
Source Network Address: 10.42.42.211
Source Port: 1181
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Win2012
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: LB\DEV1$
Account Name: DEV1$
Account Domain: LB
Logon ID: 0x894B5E95
Logon GUID: {f09e5f81-9f19-5f11-29b8-8750c7c02be3}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 10.42.1.161
Source Port: 59752
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Top 10 Windows Security Events to Monitor
- Understanding Logon Events in the Windows Server 2022 Security Log
FAQs
What type of Windows event has ID 4624? ›
Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer. This event is generated on the computer that was accessed, in other words, where the logon session was created. A related event, Event ID 4625 documents failed logon attempts.
What is the difference between event ID 4624 and 4776? ›Event ID 4624/ Logon is a session event which include member servers. It shows a user, hostname, and ip. Event 4776 is authentication with kerberos.
When reviewing an event with an event ID of 4624 What is the significance of a Type 2 logon? ›Both network and interactive logons are recorded by event ID 4624. The logon type fields shown in the chart below are useful because they help you to identify how the user logged on. Logon type 2 indicates an interactive logon at the console. Type 3 indicates a network logon.
What is a Type 3 logon event? ›Logon type 3: Network. A user or computer logged on to this computer from the network. The description of this logon type clearly states that the event logged when somebody accesses a computer from the network. Commonly it appears when connecting to shared resources (shared folders, printers etc.).
How do you check who logged into Windows server? ›Step 1 – Go to Start ➔ Type “Event Viewer” and click enter to open the “Event Viewer” window. Step 2 – In the left navigation pane of “Event Viewer”, open “Security” logs in “Windows Logs”. Step 3 – You will have to look for the following event IDs for the purposes mentioned herein below.
What is anonymous logon event viewer? ›ANONYMOUS LOGONs are routine events on Windows networks. Microsoft's comments: This event does not necessarily indicate the time that a user has stopped using a system. For example, if the computer is shut down or loses network connectivity it may not record a logoff event at all.
What causes Kerberos pre authentication failed? ›This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user's password has expired, or the wrong password was provided.
What is the difference between NTLM and Kerberos authentication? ›The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.
How do I analyze Windows logs? ›- System - Logs created by the operating system.
- Application- Logged by an application hosted locally.
- Setup - Logs created in the process of installing or changing the Windows installation.
- Security - Logs related to logins, privileges, and other similar events.
The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network.
How do you analyze Event Viewer logs? ›
- Press ⊞ Win + R on the M-Files server computer. ...
- In the Open text field, type in eventvwr and click OK. ...
- Expand the Windows Logs node.
- Select the Application node. ...
- Click Filter Current Log... on the Actions pane in the Application section to list only the entries that are related to M-Files.
10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.
Is logon Type 3 RDP? ›According to my knowledge and test, the Logon Type value = 3 is expected for Terminal Service and RDP. You will get this logon type 3 when you are using NLA (Network Layer Authentication) as the authentication type since it will try and pre-authenticate you prior to giving you RDP access.
What is Seclogo? ›The Secondary Logon (seclogon) service enables processes to be started under alternate credentials. This allows a user to create processes in the context of different security principals.
What is 0XC000006D? ›0XC000006D. The cause is either a bad username or authentication information. 0XC000006E. Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).
Is someone logged into my computer? ›Review recent logins
To see all the login activities on your PC, use Windows Event Viewer. This tool will show you all Windows services that have been accessed and logins, errors and warnings. To access the Windows Event Viewer, click the search icon and type in Event Viewer. Click Windows Logs, then choose Security.
Click the Tools tab. In the Windows Tools section, click Remote Control. Click. against the name of a computer to view its remote-control history.
Who has logged into my computer? ›- Open the Event Viewer desktop program by typing “Event Viewer” into Cortana/the search box.
- Select Windows Logs from the left-hand menu pane.
- Under Windows Logs, select security.
- You should now see a scro lling list of all events related to security on your PC.
An anonymous login is a process that allows a user to login to a website anonymously, often by using "anonymous" as the username. In this case, the login password can be any text, but it is typically a user's email address. Users are able to access general services or public information by using anonymous logins.
How do I block anonymous connections? ›- Start the registry editor (regedit.exe)
- Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.
- From the Edit menu select New - DWORD value and enter a name of RestrictAnonymous if it does not already exist.
- Double click the value and set to 1. Click OK.
- Reboot the computer.
What event ID is a reboot? ›
If your computer shuts down unexpectedly, Windows logs Event ID 41 the next time that the computer starts. The event text resembles the following information: Event ID: 41. Description: The system has rebooted without cleanly shutting down first.
How do I fix Kerberos authentication error? ›Resolution. To resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests.
What is Kerberos pre-authentication? ›Kerberos Pre-Authentication is a security feature which offers protection against password-guessing attacks. The AS request identifies the client to the KDC in Plaintext. If Kerberos Pre-Authentication is enabled, a Timestamp will be encrypted using the user's password hash as an encryption key.
What is the event ID for Kerberos authentication? ›Note: Event ID 4768 is logged for authentication attempts using the Kerberos authentication protocol. Refer to event ID 4776 for authentication attempts using NTLM authentication.
How do I know if NTLM is being used? ›To find applications that use NTLMv1, enable Logon Success Auditing on the domain controller, and then look for Success auditing Event 4624, which contains information about the version of NTLM.
What replaced NTLM? ›Microsoft replaced NTLM with Kerberos as the default authentication protocol way back in Windows 2000. Kerberos is a much stronger protocol that relies on a ticket granting service or key distribution center, and uses encryption rather than hashing.
Which is more secure Kerberos or NTLM and why? ›Kerberos is more secure – Kerberos does not store or send the password over the network and can use asymmetric encryption to prevent replay and Man-in-the-Middle (MiTM) attacks. Kerberos is faster – NTLM slows down domain controllers while Kerberos uses a single ticket to access multiple network resources.
What are the 3 types of logs available through the Event Viewer? ›- Application log – events logged by applications. ...
- System log – events logged by the operating system. ...
- Security log – events related to security, including login attempts or file deletion.
Right click on the Start button and select Control Panel > System & Security and double-click Administrative tools. Double-click Event Viewer. Select the type of logs that you wish to review (ex: Application, System)
How do you audit event logs? ›Auditing logon events help the administrator or investigator to review users' activity and detect potential attacks. To log logon events run Local Security Policy. Open Local Policies branch and select Audit Policy. Double click on “Audit logon events” and enable Success and Failure options.
What is a special logon event? ›
A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: 4964 : Special groups have been assigned to a new logon.
What are Windows logon types? ›| Logon type | # | Authenticators accepted |
|---|---|---|
| Interactive (also known as, Logon locally) | 2 | Password, Smartcard, other |
| Network | 3 | Password, NT Hash, Kerberos ticket |
| Batch | 4 | Password (stored as LSA secret) |
| Service | 5 | Password (stored as LSA secret) |
The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process. If you are not hosting IIS websites, this might mean that the computer is infected.
Should I worry about Event Viewer? ›A lot of users look at the events in Event Viewer and get a shock at the number of errors and warnings . . . This is normal, Windows for the most part handles all these events and recovers without any user intervention and they are nothing to worry about.
How do I view hardware issues in Event Viewer? ›- Open event viewer.
- Right-click the “System” log.
- Choose “Filter current log”
- Select Critical, Errors & Warnings.
- Leave the source as blank, which selects all sources.
- In the event list, look for the sources that your hardware generates.
They are Information, Warning, Error, Success Audit (Security Log) and Failure Audit (Security Log).
What is an interactive login? ›Interactive login is authentication to a computer through the usage of their local user account or by their domain account, usually by pressing the CTRL+ALT+DEL keys (on a Windows machine). When the user is logged in, Windows will run applications on behalf of the user and the user can interact with those applications.
What is the interactive user account? ›The interactive user is the user that is currently logged on to the computer where the COM server is running. If the identity is set to be the interactive user, all clients use the same instance of the server if the server registers its class factory as multi-use.
What is remote interactive logon? ›REMOTE INTERACTIVE LOGON means a group that includes all users who have logged on through a terminal services logon. In event log you see when enable permission audit, it appeared to mark the event when user has permission to logon remotely via terminal service via SID.
What is logon process Ntlmssp? ›Logon Type 3 is network logon. NTLMSSP (NT LAN Manager Security Support Provider) is a security support provider that is available on all versions of DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for authentication.
What has not been granted the requested logon type at this computer? ›
To solve “The user has not been granted the requested logon type at this computer” error, you should make sure that the login user and all groups that belong to are allowed to log on locally to this computer.
What is Kerberoasting? ›Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory (AD). In such an attack, an adversary masquerading as an account user with a service principal name (SPN) requests a ticket, which contains an encrypted password, or Kerberos.
What is the difference between 4625 and 4776? ›As you might be confused by now that how 4624, 4625 is different from 4776 since they both indicates successful or failed login. Actually, EventID 4624, 4625 are generated when credentials are stored in local machine/ when the system cannot reach Domain Controller.
What is pass the hash vulnerability? ›Pass the hash is a type of cybersecurity attack in which an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system.
How do I fix error code 0xc000006d? ›How to fix status 0xc000006d? Error 0xc000006d occurs after Windows update while logging in. You should try to log in after restarting the PC, or boot in Safe Mode set a new PIN, Repair Windows, etc. Any of these should help you fix the error.
What is 0xC0000064? ›Error code 0xC0000064 means the user name does not exist.
What is 0xc0000234? ›0xc0000234 - The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
What is the event ID for Kerberos authentication? ›Note: Event ID 4768 is logged for authentication attempts using the Kerberos authentication protocol. Refer to event ID 4776 for authentication attempts using NTLM authentication.
What is event ID in Event Viewer? ›Event identifiers uniquely identify a particular event. Each event source can define its own numbered events and the description strings to which they are mapped in its message file. Event viewers can present these strings to the user.
How do I fix Event ID 41? ›...
To help isolate the problem, do the following steps:
- Disable overclocking. ...
- Check the memory. ...
- Check the power supply. ...
- Check for overheating.
What does logon ID 0x3e7 mean? ›
The Windows logon ID (not user ID) 0x3e7 (not 0xe37) is a hardcoded LUID that represents the local system itself, i.e. all services running as "SYSTEM". For AD-joined machines, this logon ID has access to the machine's AD computer account.
How do I view Kerberos logs? ›- Press Start, search for Event Viewer, and click to open it.
- In the Event Viewer window, on the left pane, navigate to Windows log ⟶ Security.
- Here, you will find a list of all the Security Events that are logged in the system.
This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user's password has expired, or the wrong password was provided.
What is Krbtgt? ›The KRBTGT account is a domain default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, account name cannot be changed, and it cannot be enabled in Active Directory. For information about name forms and addressing conventions, see RFC 4120 .
What are the 3 types of logs available through the Event Viewer? ›- Application log – events logged by applications. ...
- System log – events logged by the operating system. ...
- Security log – events related to security, including login attempts or file deletion.
Each event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error, Success Audit (Security Log) and Failure Audit (Security Log).
How do I view Windows security logs? ›To view the security log
Open Event Viewer. In the console tree, expand Windows Logs, and then click Security. The results pane lists individual security events. If you want to see more details about a specific event, in the results pane, click the event.
Faulty RAM or memory error may also cause Kernel-Power Error 41 BSOD. Some users have reported that the issue was caused due to a faulty RAM. You can run the Memory Diagnostic Tool to check problems with it.
What does Event 41 kernel power mean? ›The kernel power event ID 41 error occurs when the computer is shut down, or it restarts unexpectedly. When a computer that is running Windows starts, a check is performed to determine whether the computer was shut down cleanly. If the computer was not shut down cleanly, a Kernel Power Event 41 message is generated.
How do I fix a kernel problem? ›- Update to the Latest Released Version of Windows 10.
- Update Drivers that Need to be Updated.
- Check for Viruses.
- Investigate Possible Corrupted Windows File System.
- Test to see if Disabling Antivirus Software Fixes the Issue.
- Investigate Possible Issues with RAM.
What is 0XC000006D? ›
0XC000006D. The cause is either a bad username or authentication information. 0XC000006E. Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).
What is the Advapi logon process? ›The logon process is marked as "advapi", which means that the logon was a Web-based logon through the IIS web server and the advapi process. If you are not hosting IIS websites, this might mean that the computer is infected.
What is logon process Seclogo? ›Logon process: Seclogo. Logon type: 9. Authentication Package = Negotiate. Logon type 9 means that any network connections originating from new process will use the new credentials.