LSA_AUDIT_LOGON callback function (ntsecpkg.h)

The AuditLogon function is used to audit a logon attempt.

Syntax

LSA_AUDIT_LOGON LsaAuditLogon;

void LsaAuditLogon(
  [in]           NTSTATUS Status,
  [in]           NTSTATUS SubStatus,
  [in]           PUNICODE_STRING AccountName,
  [in]           PUNICODE_STRING AuthenticatingAuthority,
  [in]           PUNICODE_STRING WorkstationName,
  [in, optional] PSID UserSid,
  [in]           SECURITY_LOGON_TYPE LogonType,
  [in]           PTOKEN_SOURCE TokenSource,
  [in]           PLUID LogonId
)
{...}

Parameters

[in] Status

Status of the logon attempt.

[in] SubStatus

Additional status information for the logon attempt.

[in] AccountName

Pointer to a UNICODE_STRING that contains the account name used in the logon attempt.

[in] AuthenticatingAuthority

Pointer to a UNICODE_STRING that contains the name of the authority that authenticated the logon, normally the operating system domain name.

[in] WorkstationName

Pointer to a UNICODE_STRING that contains the name of the workstation used to attempt the logon.

[in, optional] UserSid

Pointer to the SID of the security principal attempting to logon.

[in] LogonType

A SECURITY_LOGON_TYPE value indicating the type of logon.

[in] TokenSource

Pointer to a TOKEN_SOURCE structure that specifies the source for the user token. This value must include the package name.

[in] LogonId

Pointer to the logon session identifier. LogonId is valid only if the logon attempt was successful.

Return value

None

Remarks

A pointer to the AuditLogon function is available in the LSA_SECPKG_FUNCTION_TABLE structure received by the SpInitialize function.

Requirements

Requirement Value
Minimum supported client Windows XP [desktop apps only]
Minimum supported server Windows Server 2003 [desktop apps only]
Target Platform Windows
Header ntsecpkg.h

See also

LSA_SECPKG_FUNCTION_TABLE

SpInitialize