Event ID: 4626

User / Device claims information

User / Device claims information.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Logon Type:             %9

New Logon:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Event in sequence:      %10 of %11

User Claims:            %12

Device Claims:          %13

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit User/Device claims subcategory is configured and the user’s logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
Microsoft Documentation

Event ID - 4626





Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any NULL SID
Account Name SubjectUserName %2 Any -
Account Domain SubjectDomainName %3 Any -
Logon ID SubjectLogonId %4 Any 0x0
Security ID TargetUserSid %5 Any THEDOMAIN\UserJohn
Account Name TargetUserName %6 Any UserJohn
Account Domain TargetDomainName %7 Any THEDOMAIN
Logon ID TargetLogonId %8 Any 0x3565
Logon Type LogonType %9 Any View Codes
Event in sequence EventIdx %10 Any 1
Event in sequence EventCountTotal %11 Any 1
User Claims UserClaims %12 Any ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "UserJohn"
Device Claims DeviceClaims %13 Any -


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User/Device Claims"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List