0

A Windows Server 2008 HPC Edition box is permanently logging Logon and Logoff tasks for the user who is connected to it via RDP every few seconds. Is there a way to just log the user initiated logon and logoff events?

Security log

Typical Logoff events look like this:

An account was logged off.

Subject:
Security ID:        DOMAIN\USERX
Account Name:       USERX
Account Domain:     DOMAIN
Logon ID:       0x1c4f9eb

Logon Type:         3

and typical Logon events look like this:

An account was successfully logged on.

Subject:
Security ID:        NULL SID
Account Name:       -
Account Domain:     -
Logon ID:       0x0

Logon Type:         3
New Logon:
Security ID:        DOMAIN\USERX
Account Name:       USERX
Account Domain:     DOMAIN
Logon ID:       0x1c54963
Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID:     0x0
Process Name:       -

Network Information:
Workstation Name:   XX-YY
Source Network Address: -
Source Port:        -

There are only two users connected via RDP and this behaviour doesn't depend upon them doing anything specific on the server.

p.vitzliputzli
  • 101
  • 2
  • What is the user engaging in after they log in? Something must be triggering those 4624/4634 events. Can you post the contents (pls remove confidential data) of the event, e.g. what is the logon type? – Lucky Luke Sep 17 '15 at 03:53
  • @LuckyLuke I have added more information to the question. – p.vitzliputzli Sep 17 '15 at 05:52

0 Answers0