Windows Logon History Β· User Attribution

Windows Login History and User Activity Forensics

Reconstruct exactly who was signed into a Windows computer, when, from where, and by what method β€” console, RDP, network share, or cached domain credentials. Court-ready analysis for employment, criminal defense, and unauthorized-access matters.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Windows login history forensics correlates Security event log entries (4624/4625/4634/4647/4648/4672/4740/4776/4778/4779), the Terminal Services operational logs, LogonUI artifacts, the SAM hive’s per-account LastLogon and LogonCount, cached credential MSCACHE entries, and RDP bitmap cache to answer four questions: which account authenticated, what logon type was used (interactive, network, RDP, cached), from which source machine or IP address, and for how long the session lasted.

The full logon picture, artifact by artifact

No single artifact conclusively answers “who was on this computer.” We build a session-by-session timeline using at minimum four independent sources.

  1. Security.evtx β€” 4624 (success) with LogonType, LogonId, TargetUserSid, IpAddress, WorkstationName. Paired 4634/4647 provides logoff. 4778/4779 tracks disconnect/reconnect of the same session.
  2. TerminalServices-LocalSessionManager/Operational β€” event 21 (session logon), 22 (shell start), 25 (reconnect), 24 (disconnect), 23 (logoff). Includes source network address for RDP.
  3. TerminalServices-RemoteConnectionManager/Operational β€” event 1149 with source IP before authentication completes.
  4. SAM hive β€” for local accounts: LastLogon, LastPasswordChange, LogonCount, InvalidLogonCount, F value flags (locked, disabled).
  5. NTUSER.DAT existence and LastWrite β€” profile creation and last active time.
  6. LogonUI / LockApp β€” Prefetch for LogonUI.exe correlates with lock/unlock cycles.

Logon type interpretation table

LogonTypeMeaningWhat it proves
2 InteractiveConsole keyboard/mousePerson physically at the machine (or KVM)
3 NetworkSMB/RPC/WMI from remote hostAnother machine touched a share or admin API; not console presence
4 BatchScheduled Task under user contextAutomation, not a live session
5 ServiceWindows service running as accountService identity, not a human logon
7 UnlockScreen unlockedSame user resumed the session
10 RemoteInteractiveRDPFull graphical remote session; source IP in 1149
11 CachedInteractiveCached domain credentialsLaptop offline or DC unreachable; person still typed the password

Failed logons and lockouts (4625, 4740, 4776)

Failed authentication is decisive in cases involving allegations of unauthorized access, password guessing, or account compromise. The 4625 event includes a Status and Sub Status that reveal why the attempt failed:

Sub StatusMeaning
0xC0000064User name does not exist
0xC000006AWrong password (user exists)
0xC0000234Account currently locked out
0xC0000072Account is disabled
0xC000006FAttempt outside allowed hours
0xC0000193Account expired
0xC0000133Clock sync issue (Kerberos)

Event 4740 identifies the source workstation that caused a lockout, which frequently pinpoints the machine used in an intrusion attempt.

Cached credentials, offline logons, and stolen laptops

Windows caches domain credentials so a domain-joined laptop can log in when disconnected. The number of cached logons is controlled by SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (default 10). The cached secrets themselves live encrypted in the SECURITY hive under Cache. Logon type 11 (CachedInteractive) is our signal that authentication happened without contacting a domain controller β€” critical in cases involving off-network laptop use, VPN outages, or claimed absences.

Attribution across a domain: workstation vs. domain controller

On a domain-joined machine, authentication is bifurcated. The workstation records 4624 with LogonType 2 or 10. The domain controller records 4776 (NTLM) and 4768/4769 (Kerberos TGT/TGS). We collect both sides where available; a case built only on the endpoint is thinner than one that also has the DC’s Kerberos trail. See Event Log Forensics and Remote Access Forensics for the corresponding remote-side analysis.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you prove someone was physically at the computer versus remote?

Yes. LogonType 2 (Interactive) plus LogonUI Prefetch, keyboard/mouse HID device connect events, and screen unlock (LogonType 7 or event 4801) build the physical-presence case. LogonType 10 with a source IP in 1149 establishes remote presence.

What if the account is shared?

Shared accounts weaken but rarely defeat attribution. RDP source IPs, matching NTUSER.DAT LastWrite by profile, MFA logs from Entra ID / Okta / Duo, and application-layer identity (email, browser sync profile) narrow it further.

How is timing established when clocks were changed?

Security 4616 records system time changes; W32Time writes to System.evtx; and independent artifacts (Amcache first-executed, NTFS $StdInfo vs $FN timestamps, cloud sync timestamps) triangulate the true wall-clock time.

How long is login history retained by default?

Highly variable. Security.evtx defaults to 20 MB and can roll every few hours on a busy DC or persist for months on a quiet laptop. We report actual coverage per artifact.

Ready to move on your windows login history & user activity matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: 4624 documentation. learn.microsoft.com
  2. Microsoft: 4625 documentation. learn.microsoft.com
  3. Microsoft: Cached credentials. learn.microsoft.com

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#LoginHistory #WindowsForensics #LogonAudit #RDPForensics #DFIR #EliteDigitalForensics #ExpertWitness

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder