Free Workshop: Investigating Insider Threats — February 20-27

Local Session Manager – Event 23 (Logoff Succeeded)

Published on August 2, 2023

What Is It?

This event is created when a local session is logged off from either a local or remote interactive session.

  • Event Log: Terminal Services – Local Session Manager
  • Event ID: 23
  • Event Description: “Session logoff succeeded”

The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins. Note that local sessions are different from logon sessions. Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. Learn more about sessions here.

Artifact Family

This event is in the Inbound Logon artifact family. It is related to both incoming Windows RDP connections and local interactive logins.

When Does It Get Created?

Event 23 is created when a local session logs off. That happens after a user successfully logs off a local or remote interactive logon session.

For example:

  • After a user logs off (not just a disconnect) from the local session.

What Data Is Stored?

This event has three fields of interest:

  • Timestamp of when the successful logoff occurred
  • User and domain name for the account being logged into
  • Session ID of the remote session

Relevance to DFIR?

This entry will show you when a user logged off the system. It has the same information as other events, such as:

  • Local Session Manager – Event 24
  • Security Log – Event 4634

But, these events are all in different event log files and could cycle at different rates. So, you may find this event even if the others have been overwritten or deleted.

Usage in Cyber Triage

Cyber Triage collects and parses the Local Session Manager event log. It uses this event to determine when a logon session ended.

Sources