Determining a User's Logon Session

Q: When investigating users' actions in the Security log, how can we determine the type of logon session in which the user was operating? For example, we audit access to certain critical files. When looking at event ID 560, we can tell what file was opened, who opened it, the program used to open it, and what permissions were requested, but we can’t determine if the user was logged on via the local console, over the network via a shared folder, or via Terminal Services.

A: Logon event IDs 528 and 540 report the logon type, so you'll have to correlate the user activity event (event ID 560 in your example) to the logon events. When a user logs on to a computer, Windows creates a new logon session and assigns it a Logon ID. All security log events triggered by user activities report the Logon ID of the user’s logon session, so just find either event ID 528 or 540 where the event reports the same Logon ID as event ID 560. When you find the logon event for the logon session, look at the Logon Type field, which is also in the event’s description. The Logon Type field reveals how the user logged on. Logon Type 2 indicates that the user logged on interactively at the computer’s local console, Logon Type 3 indicates that the user logged on over the network through a shared folder, and Logon Type 10 indicates the user logged on via a Remote Desktop (aka Terminal Services) session.