4634 An account was logged off
Written when a logon session ends and no longer exists. Tied to 4624 by Logon ID, it lets you trace a session from start to finish.
Overview
The subcategory is Audit Logoff. It indicates that a session has ended and ceased to exist. The difference from 4647 (user-initiated logoff) is that 4647 marks “the start of a logoff action,” while 4634 marks the state “the session has terminated and no longer exists.” For interactive and remote-interactive logons, both typically appear when a user logs off the normal way.
How it is triggered
- When a logon session ends (an explicit logoff, a timeout, termination after a disconnect, and so on).
- It ties to the corresponding 4624 via
Logon ID. Note that a Logon ID is unique only within one machine and between reboots.
Security review points
- It is material for building a session’s lifetime (logon to logoff). A very short session in the middle of the night, or a start/end with an unexpected
LogonType, is a starting point for investigation. - Use the type field to check whether sessions are being established with a
LogonTypean account should not use (for example, a domain admin with Batch=4 or Service=5).
Notes for log review
- Logoffs by internal accounts such as
DWM-*,UMFD-*, andSYSTEMare high-volume normal noise; the original example is itself aDWM-1logoff. Exclude these. - Logoffs do not always pair one-to-one with logons (they may not appear on a forced termination or crash). Do not read them alone; reconstruct the session by combining with 4624 / 4647.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that logged off |
Logon ID | The key for matching with 4624 |
Logon Type | The logon kind of the ended session |