- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Reconstruct exactly who was signed into a Windows computer, when, from where, and by what method β console, RDP, network share, or cached domain credentials. Court-ready analysis for employment, criminal defense, and unauthorized-access matters.
Quick Answer. Windows login history forensics correlates Security event log entries (4624/4625/4634/4647/4648/4672/4740/4776/4778/4779), the Terminal Services operational logs, LogonUI artifacts, the SAM hive’s per-account LastLogon and LogonCount, cached credential MSCACHE entries, and RDP bitmap cache to answer four questions: which account authenticated, what logon type was used (interactive, network, RDP, cached), from which source machine or IP address, and for how long the session lasted.
No single artifact conclusively answers “who was on this computer.” We build a session-by-session timeline using at minimum four independent sources.
| LogonType | Meaning | What it proves |
|---|---|---|
| 2 Interactive | Console keyboard/mouse | Person physically at the machine (or KVM) |
| 3 Network | SMB/RPC/WMI from remote host | Another machine touched a share or admin API; not console presence |
| 4 Batch | Scheduled Task under user context | Automation, not a live session |
| 5 Service | Windows service running as account | Service identity, not a human logon |
| 7 Unlock | Screen unlocked | Same user resumed the session |
| 10 RemoteInteractive | RDP | Full graphical remote session; source IP in 1149 |
| 11 CachedInteractive | Cached domain credentials | Laptop offline or DC unreachable; person still typed the password |
Failed authentication is decisive in cases involving allegations of unauthorized access, password guessing, or account compromise. The 4625 event includes a Status and Sub Status that reveal why the attempt failed:
| Sub Status | Meaning |
|---|---|
| 0xC0000064 | User name does not exist |
| 0xC000006A | Wrong password (user exists) |
| 0xC0000234 | Account currently locked out |
| 0xC0000072 | Account is disabled |
| 0xC000006F | Attempt outside allowed hours |
| 0xC0000193 | Account expired |
| 0xC0000133 | Clock sync issue (Kerberos) |
Event 4740 identifies the source workstation that caused a lockout, which frequently pinpoints the machine used in an intrusion attempt.
Windows caches domain credentials so a domain-joined laptop can log in when disconnected. The number of cached logons is controlled by SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (default 10). The cached secrets themselves live encrypted in the SECURITY hive under Cache. Logon type 11 (CachedInteractive) is our signal that authentication happened without contacting a domain controller β critical in cases involving off-network laptop use, VPN outages, or claimed absences.
On a domain-joined machine, authentication is bifurcated. The workstation records 4624 with LogonType 2 or 10. The domain controller records 4776 (NTLM) and 4768/4769 (Kerberos TGT/TGS). We collect both sides where available; a case built only on the endpoint is thinner than one that also has the DC’s Kerberos trail. See Event Log Forensics and Remote Access Forensics for the corresponding remote-side analysis.
Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.
Yes. LogonType 2 (Interactive) plus LogonUI Prefetch, keyboard/mouse HID device connect events, and screen unlock (LogonType 7 or event 4801) build the physical-presence case. LogonType 10 with a source IP in 1149 establishes remote presence.
Shared accounts weaken but rarely defeat attribution. RDP source IPs, matching NTUSER.DAT LastWrite by profile, MFA logs from Entra ID / Okta / Duo, and application-layer identity (email, browser sync profile) narrow it further.
Security 4616 records system time changes; W32Time writes to System.evtx; and independent artifacts (Amcache first-executed, NTFS $StdInfo vs $FN timestamps, cloud sync timestamps) triangulate the true wall-clock time.
Highly variable. Security.evtx defaults to 20 MB and can roll every few hours on a busy DC or persist for months on a quiet laptop. We report actual coverage per artifact.
Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant