LOGOFF.exe – Windows CMD Command
Log a user off.
LOGOFF [/f] [/n]
/f Force running processes to close, but will ask for user confirmation.
The user will not be asked to save unsaved data.
/n Force running processes to close without confirmation.
The user will be prompted to save unsaved data.
By default LOGOFF will ask for user confirmation and prompt to save unsaved data.
Windows security log events
Logon Event IDs 528 and 540 = successful logon
Logoff Event ID 538 = logoff
Logon and logoff events also specify a Logon Type code:
Logon Type 2 – Interactive – Log on at the local keyboard/screen (see the event description for a computer name).
Logon Type 3 – Network – connections to shared folders or printers, over-the-network logons, IIS logons( but not basic authentication)
Logon Type 4 – Batch – The Scheduled Task service creates a new logon session for each task.
Logon Type 5 – Service – Each service is configured to run as a specified user account.
Logon Type 7 – Unlock- a password protected screen saver.
Logon Type 8 – NetworkCleartext – a network logon like logon type 3 but where the password was sent over the network in cleartext.
Logon Type 9 – NewCredentials – If you use RunAs /netonly and records the logon event with logon type 2.
Logon Type 10 – RemoteInteractive – Terminal Services, Remote Desktop or Remote Assistance.
Logon Type 11 – CachedInteractive – mobile users not connected to the network connecting with cached credentials.