Windows Logoff Events

Eric Fitzgerald at Microsoft posted a nice write-up on the subtleties of Windows logoff events. If you collect EventLog data in your SIM or if you have occasion to read EventLog files, I recommend reading Eric's post as well as the rest of mine.

To summarize (translate?), Eric's saying don't trust logoff events to indicate an actual logoff. It could be a timeout or a kerberos token expiring or being reclaimed by the server.

There's something of an exception to this, and you can probably find it in your EventLogs. EventID 538 - "User Logoff" - records a connection type with a decimal value. The value can be 2 or 3. Most of what you will see are type 3 connections, which can mean several different things. But type 2 logoffs indicate the end of an interactive (think RDP) session. That, again, doesn't guarantee that someone actually clicked Start -> Log Off, but it does indicate a definitive end to the session, whether it's a forced disconnect by the client or server, or a clean logoff.

The use case for logoff events is primarily forensic. "When was so-and-so using that system / at work?" "Who was logged on to server X between time A and time B?" And the fact that these events are soft and wonky is frustrating, but being aware of the squishiness of their meaning is important when using them in an investigation. This is where your SIM can really help, because sometimes the best indicator of a logoff/shutdown isn't a single event, but rather the end of activity. "I know Mr. Schmeaux stopped working at 3:30pm that day because there were no more events from his username or workstation IP address after that time."