Remote Interactive Login to Windows 10 Expand / Collapse
Author
Message
Posted 1/16/2018 8:00:32 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/16/2018 7:51:23 AM
Posts: 1, Visits: 0
Hi,

In previous Windows systems, we could find who logged in remotely to a specific machine, using EventID (4624) and LogonType (10). I'm trying to do the same for the Windows 10, but I don't see LogonType=10 registered, only as a LogonType=7. Is there any change on how Windows 10 handles this case, and if yes, how we distinguish from the PC unlock case.

Is it possible to get all these events if we only audit Domain Controllers, or do we need to collect logs from computers, as well. In our case we are using the latest Netwrix solution for this purpose.

Thank you for any help on this.
Post #7437
Posted 1/21/2018 2:53:12 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 201, Visits: 0
Type 7 logons should still only indicate an unlocked computer. I just want to confirm that you are looking for "type = 10" logs at the RDP destination, correct? There have been changes to the logon event in Windows 10 but I do not see any that indicate significant changes to how an RDP logon event would be written-https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4624.
Post #7449
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:29pm