Event ID: 4647

User initiated logoff 

User initiated logoff:

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Microsoft Documentation

Event ID - 4647



This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.

The main difference with event 4634 (An account was logged off) is that the 4647 event is generated when a logoff procedure was initiated by specific account using the logoff function, whereas 4634 event shows that a session was terminated and no longer exists.

4647 is more typical for Interactive and RemoteInteractive logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.

It may be positively correlated with event 4624 (An account was successfully logged on) using the Logon ID value. Logon IDs are only unique between reboots on the same computer.



Name Field Insertion String OS Example
Security ID TargetUserSid %1 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name TargetUserName %2 Any UserName
Account Domain TargetDomainName %3 Any DOMAIN
Logon ID TargetLogonId %4 Any 0x29b379

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:Logoff
How to enable Windows Auditing

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019

Audit Category:
Logon/Logoff

Audit Subcategory:
Logoff
Legacy Events:
551

Correlated Events:
4624 4634

LEFT/RIGHT arrow keys for navigation

Back to List