Event ID: 4634

An account was logged off

An account was logged off.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Logon Type:             %5

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.


This event shows that logon session was terminated and no longer exists.

The main difference between event 4647 (User initiated logoff) and event 4634 is that event 4647 is generated when a logoff procedure was initiated by specific account using the logoff function, whereas event 4634 shows that a session was terminated and no longer exists.

4647 is more typical for Interactive and RemoteInteractive logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.

It may be positively correlated with event 4624 (An account was successfully logged on) event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Logoff events may not be generated for certain network logons or after an unexpected shutdown.

Auditing:     Conditional

It is recommended to audit logoff events on servers and workstations. Auditing this event on domain controllers is recommended if possible.


Volume:     Low Medium High


Microsoft Documentation

Event ID - 4634



Name Field Insertion String OS Example
Security ID TargetUserSid %1 Any S-1-5-90-1
Account Name TargetUserName %2 Any UserName
Account Domain TargetDomainName %3 Any DOMAIN
Logon ID LogonID %4 Any 0x1a0992
Logon Type LogonType %5 Any View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:Logoff



LEFT/RIGHT arrow keys for navigation

Back to List