Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,500 questions
Request for Information on Microsoft-Windows-Winlogon/Operational Logs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 66%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
skratyan
0
Reputation points
Hello,
I am trying to normalize events collected in the SIEM system from the Microsoft-Windows-Winlogon/Operational log, but I cannot find sufficient information in the Microsoft Knowledge Base regarding the interpretation of these logs.
I found some information about this event on GitHub, but it is not enough for a proper understanding of the logs (https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-Winlogon.xml#L99), as the numerical interpretation of the value in the Event field remains unclear.
On Microsoft resources, I found information about Winlogon events, but there are no event identifiers (EventID), task codes (Task), or event codes (Event) listed (https://learn.microsoft.com/ru-ru/windows/win32/secauthn/winlogon-notification-events). Additionally, we found a resource that provides views of logs for various Winlogon events, but the information there is not particularly helpful (https://windows-event-explorer.app.elstc.co/publisher/Microsoft-Windows-Winlogon).
Due to the above, I lack a sufficient understanding of the logs collected from the Winlogon journal and how to read them effectively.
Furthermore, I would like to obtain more detailed information about notification subscribers. They appear in the logs of two devices, both domain-joined and non-domain-joined.
I would like to understand what types of events indicate in this log so that I can determine which types of events are necessary for collection and how to make them more informative. Please share any information that could help with this issue. Ideally, I would appreciate a manual with interpretations of Winlogon logs.
Also I write my question here: https://answers.microsoft.com/ru-ru/windows/forum/all/request-for-information-on-microsoft-windows/05febfb0-44aa-4d66-b2f5-6b0d090fb637
Example message:
The winlogon notification subscriber <%{SubscriberName}> began handling the notification event (%{Event}).
In XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{MyGUID}" />
<EventID>812</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>811</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000010000</Keywords>
<TimeCreated SystemTime="2024-09-18T14:43:13.0238548Z" />
<EventRecordID>18820</EventRecordID>
<Correlation />
<Execution ProcessID="9168" ThreadID="8616" />
<Channel>Microsoft-Windows-Winlogon/Operational</Channel>
<Computer>ComputerName</Computer>
<Security UserID="MySecurityUserID" />
</System>
<EventData>
<Data Name="Event">N</Data>
<Data Name="SubscriberName">TermSrv</Data>
</EventData>
</Event>
Thank you for your assistance!
Windows 10
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,332 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,957 questions
Sign in to answer