Logon type 2: Interactive logon
This type of logon is generated when a user logs on to the console of a machine. Again, a user can also use a smart card or biometric methods besides the traditional keyboard and mouse.
Logon type 3: Network logon
This logon type describes a computer being accessed across the network (LAN/WAN). This is typically used to access file servers, printers, and other network devices.
Logon type 4: Batch logon
This logon type typically relates to scheduled tasks. Logon type 4 events are usually rather benign, however, a malicious user could try to guess the password of an account here.
Logon type 5: Service logon
The next type is called the service logon. When Windows starts a service that is configured to log on as a user, Windows creates a new logon session. Each service is configured to run as a specified user account.
Logon type 7: Unlock
When a user leaves a workstation for a period of time, Windows will lock the computer. This is to protect the workstation, its data, and other potential remote network data from attackers or local hackers. When a user unlocks the computer, this logon type is logged in the local Security event log.
Logon type 8: Network clear text logon
This type is similar to a network logon (Type 3), but here the password was sent over the network in cleartext. The password was passed to the authentication system on the remote system in its unhashed form. Windows always hashes passwords typed in before transmitting them over the LAN.
Logon Type 9: New credentials-based logon
This logon type describes using RunAs to start a program under a different account than the logged-in account. You use the /netonly switch in Windows to accomplish this.
Logon type 10: Remote interactive logon
This logon type sometimes referred to as “RemoteInteractive,” details using Remote Desktop Protocol (or terminal services) to access a remote workstation or server. This type is similar to #2 (Interactive), but again, we are coming from a remote location.
Logon type 11: Cached interactive logon
Our final type describes when a user logs on to the machine via cached credentials. This is very similar, again, to #2 (Interactive), but instead of a ‘live’ authentication to a domain controller, Windows locally uses previously entered (cached) credentials to grant the user access permissions to the workstation.