Indexof

Lite v2.0Super User › Understanding Event ID 4624 Logon Type 11: Why It Appears When You Aren't There › Last update: About

Understanding Event ID 4624 Logon Type 11: Why It Appears When You Aren't There

Event ID 4624 Logon Type 11: Explaining Phantom Logons in Windows

Finding a "Successful Logon" entry in your Windows Event Viewer for a time when you were physically away from your computer can be alarming. When Event ID 4624 is paired with Logon Type 11, it specifically indicates a Cached Interactive logon. This does not always mean an intruder is at your keyboard; rather, it often points to how Windows handles credentials when a domain controller is unavailable or when specific automated tasks are triggered using your saved profile. This guide deciphers the technical "fingerprints" of Type 11 logons to help you distinguish between routine system behavior and unauthorized access.

Table of Content

Purpose

The primary purpose of investigating Logon Type 11 is to verify Credential Authenticity. In a standard office environment, your PC usually contacts a Domain Controller (DC) to verify your password. If the DC is unreachable (e.g., you are working from home without a VPN, or the server is down), Windows uses a "Cached" version of your credentials to let you in. However, because this logon type is also associated with Task Scheduler and Workstation Unlocks, understanding the "Source Network Address" and "Process Name" within the event is vital for confirming that the activity was a legitimate background system process.

Use Case

You should analyze Logon Type 11 events when:

  • After-Hours Activity: Your security logs show your account logged in at 3:00 AM while the PC was supposedly locked.
  • Remote Work Syncing: You notice logons occurring while your laptop is disconnected from the corporate network.
  • Automated Scripting: You have scheduled tasks or backups that require your user permissions to execute.
  • Forensic Investigation: You need to determine if a user bypassed network authentication by using local cached data.

Step by Step

Locate the Specific Event

Open Event Viewer (eventvwr.msc), navigate to Windows Logs > Security, and use the "Filter Current Log" option to search for ID 4624.

Verify the Logon Type

Scroll down to the "Logon Information" section of the event description. Look for Logon Type: 11. If it were a physical person at the desk, you would typically see Type 2 (Interactive) or Type 7 (Unlock).

Check the Subject and Target Account

Ensure the TargetUserName matches your account. Then, look at the Logon ID. This unique hex value can be used to link this logon to other events, like 4672 (Special Privileges assigned).

Investigate the Source Network Address

Check the Source Network Address. If it is 127.0.0.1 or -, the logon was local to the machine. If it shows an external IP you don't recognize, this is a red flag for unauthorized remote access.

Examine the Process Information

Look for Process Name. Common legitimate processes include:

  • C:\Windows\System32\lsass.exe (Local Security Authority)
  • C:\Windows\System32\winlogon.exe (Standard Login)
  • C:\Windows\System32\svchost.exe (System Services)

Best Results

Element Standard Value Security Significance
Logon Type 11 (Cached Interactive) Indicates DC was bypassed/unavailable.
Source Address 127.0.0.1 / Localhost Confirms the activity originated locally.
Workstation Name Your PC Name Verifies which hardware processed the key.

FAQ

Why is it called "Cached" Interactive?

Windows stores a hash of your password locally. Type 11 occurs when the system uses this hash to verify you because the "Master" database (the Domain Controller) cannot be reached. It essentially means "I logged you in based on what I remembered about you."

Can a scheduled task trigger Type 11?

Yes. If a task is set to "Run only when user is logged on" or "Run with highest privileges" and the network is down, the Task Scheduler may invoke a Type 11 logon to start the process using your cached profile.

Is Logon Type 11 dangerous?

Not inherently. It is very common on laptops. However, if you see Type 11 logons for an account that has never logged into that specific computer before, it could indicate a credential harvesting attack or "Pass-the-Hash" attempt.

Disclaimer

Event logs can be complex and sometimes misleading due to system "noise." A single Event 4624 is rarely enough to prove a security breach without correlating events like 4625 (Failed Logons) or 4648 (Explicit Credentials). This guide applies to Windows 10, Windows 11, and Windows Server environments as of 2026. If you suspect an active breach, disconnect the machine from the network and consult an IT security professional.

Tags: EventViewer, WindowsSecurity, EventID4624, Cybersecurity

Profile: A guide to troubleshooting Windows Event ID 4624 with Logon Type 11. Learn why your account shows successful logons during your absence and how to identify cached credential activity. - Indexof

About

A guide to troubleshooting Windows Event ID 4624 with Logon Type 11. Learn why your account shows successful logons during your absence and how to identify cached credential activity. #super-user #understandingeventid4624logontype11


Edited by: Eetu Maatta & Ka Wong

Close [x]
Loading special offers...

Suggestion

OpenVPN: Why Disabled 'duplicate-cn' Still Allows Multiple Connections

#openvpn-why-disabled-duplicate-cn-still-allows

Ran PowerShell Command by Mistake? Emergency Recovery Guide (2026)

#ran-powershell-command-by-mistake

How to Remove AI Actions and Copilot from Windows 11 Context Menu

#remove-ai-actions-and-copilot-from-windows-11

Why is challenges.cloudflare.com Consuming So Much Data?

#challengescloudflarecom-consuming-so-much

What is iOS 18.1 Simulator Bundle? How to Delete it Safely

#what-is-ios-181-simulator-bundle

Fix: xrdp User does not exist or could not be authenticated | 2026 Guide

#fix-xrdp-user-does-not-exist