2

I have a relatively new Windows 7 Professional 64-bit installation with all patches applied. I'm trying to test logon failure events to see what they look like and how they will look in our log management tool. To test, I locked the screen, entered a bad password (which gave the failure message, of course), and then logged on correctly. I then checked the event viewer, and to my surprise there were no logon failure events in the Security logs, but it did have several successful logon events!

Edit: Sorry, accidentally submitted. Anyway, does anyone know why this is the case? I can't find anything in either System or Application. It seems like a huge oversight that logon failure events are not stored by default.

Also, here are the events I see in chronological order that are associated with the successful logon:

  • Code: 4648 - Audit Success: A logon was attempted using explicit credentials.
  • Code: 4624 - Audit Success: An account was successfully logged on.
  • Code: 4624 - Audit Success: An account was successfully logged on.
  • Code: 4672 - Audit Success: Special privileges assigned to new logon.
  • Code: 4634 - Audit Success: An account was logged off.
  • Code: 4634 - Audit Success: An account was logged off.

Those two "account was logged off" messages don't make much sense to me either, but they are at the exact same time as the logon events...

Improve this question

1 Answer 1

Reset to default
3

In Group Policy Editor:

Computer Configuration
  Windows Settings
    Security Settings
      Local Policies
        Audit Policy

The setting you're looking for is "Audit Logon Events" - you can set it to log on success or failure individually.

Improve this answer
3
  • Ah hah! That was it! Thanks. It seems odd to me that this isn't enabled by default.
    – Magicked
    Commented Aug 16, 2011 at 18:13
  • @Magicked: It's not really necessary on personal computers. Having physical access, it's possible to bypass Windows entirely... Domain controllers have it on by default, of course.
    – grawity_u1686
    Commented Aug 16, 2011 at 18:35
  • I agree with @grawity - there's no reason for this to be on by default for a standalone workstation in most situations.
    – Shinrai
    Commented Aug 16, 2011 at 19:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .