2
I have a relatively new Windows 7 Professional 64-bit installation with all patches applied. I'm trying to test logon failure events to see what they look like and how they will look in our log management tool. To test, I locked the screen, entered a bad password (which gave the failure message, of course), and then logged on correctly. I then checked the event viewer, and to my surprise there were no logon failure events in the Security logs, but it did have several successful logon events!
Edit: Sorry, accidentally submitted. Anyway, does anyone know why this is the case? I can't find anything in either System or Application. It seems like a huge oversight that logon failure events are not stored by default.
Also, here are the events I see in chronological order that are associated with the successful logon:
- Code: 4648 - Audit Success: A logon was attempted using explicit credentials.
- Code: 4624 - Audit Success: An account was successfully logged on.
- Code: 4624 - Audit Success: An account was successfully logged on.
- Code: 4672 - Audit Success: Special privileges assigned to new logon.
- Code: 4634 - Audit Success: An account was logged off.
- Code: 4634 - Audit Success: An account was logged off.
Those two "account was logged off" messages don't make much sense to me either, but they are at the exact same time as the logon events...
Magicked
Posted 2011-08-16T17:58:48.497
Reputation: 185
Ah hah! That was it! Thanks. It seems odd to me that this isn't enabled by default. – Magicked – 2011-08-16T18:13:27.657
@Magicked: It's not really necessary on personal computers. Having physical access, it's possible to bypass Windows entirely... Domain controllers have it on by default, of course. – user1686 – 2011-08-16T18:35:30.830
I agree with @grawity - there's no reason for this to be on by default for a standalone workstation in most situations. – Shinrai – 2011-08-16T19:20:05.760