4647 User initiated logoff
Written when a user explicitly starts a logoff. No further user activity occurs after it. Paired with 4634, it marks the end point of an interactive session.
Overview
The subcategory is Audit Logoff. It indicates that a specific account began the logoff procedure using the logoff function. The difference from 4634 (which marks the session’s disappearance itself) is that 4647 represents a user-initiated logoff action. It is typical for interactive and remote-interactive logons where the user logs off the standard way, and normally both 4647 and 4634 appear.
How it is triggered
- When a user logs off explicitly, via the Start menu, session disconnect, and so on.
- It ties to the corresponding 4624 via
Logon ID.
Security review points
- Because it confirms a user-initiated logoff, you can precisely bound the usage window of an interactive session (logon to logoff). It is useful for establishing RDP (
LogonType 10) usage periods. - If there is a logon but no user-initiated 4647, and the session is closed only by a 4634, it can indicate an unusual ending such as a disconnect or forced termination.
Notes for log review
- Most are normal everyday events. Rather than judging an anomaly on its own, use it as material to build the full session picture together with 4624 / 4634.
- It appears for user accounts that logged on interactively, not for system accounts.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that started the logoff |
Logon ID | The key for matching with 4624 / 4634 |