Export (0) Print
Expand All
Expand Minimize

AuditLogon function

The AuditLogon function is used to audit a logon attempt.


VOID AuditLogon(
  _In_      NTSTATUS Status,
  _In_      NTSTATUS SubStatus,
  _In_      PUNICODE_STRING AccountName,
  _In_      PUNICODE_STRING AuthenticatingAuthority,
  _In_      PUNICODE_STRING WorkstationName,
  _In_opt_  PSID UserSid,
  _In_      SECURITY_LOGON_TYPE LogonType,
  _In_      PTOKEN_SOURCE TokenSource,
  _In_      PLUID LogonId


Status [in]

Status of the logon attempt.

SubStatus [in]

Additional status information for the logon attempt.

AccountName [in]

Pointer to a UNICODE_STRING that contains the account name used in the logon attempt.

AuthenticatingAuthority [in]

Pointer to a UNICODE_STRING that contains the name of the authority that authenticated the logon, normally the operating system domain name.

WorkstationName [in]

Pointer to a UNICODE_STRING that contains the name of the workstation used to attempt the logon.

UserSid [in, optional]

Pointer to the SID of the security principal attempting to logon.

LogonType [in]

A SECURITY_LOGON_TYPE value indicating the type of logon.

TokenSource [in]

Pointer to a TOKEN_SOURCE structure that specifies the source for the user token. This value must include the package name.

LogonId [in]

Pointer to the logon session identifier. LogonId is valid only if the logon attempt was successful.

Return value

This function does not return a value.


A pointer to the AuditLogon function is available in the LSA_SECPKG_FUNCTION_TABLE structure received by the SpInitialize function.


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]



See also




Community Additions

© 2014 Microsoft