AuditLogon function

The AuditLogon function is used to audit a logon attempt.


VOID AuditLogon(
  _In_     NTSTATUS            Status,
  _In_     NTSTATUS            SubStatus,
  _In_     PUNICODE_STRING     AccountName,
  _In_     PUNICODE_STRING     AuthenticatingAuthority,
  _In_     PUNICODE_STRING     WorkstationName,
  _In_opt_ PSID                UserSid,
  _In_     SECURITY_LOGON_TYPE LogonType,
  _In_     PTOKEN_SOURCE       TokenSource,
  _In_     PLUID               LogonId


Status [in]

Status of the logon attempt.

SubStatus [in]

Additional status information for the logon attempt.

AccountName [in]

Pointer to a UNICODE_STRING that contains the account name used in the logon attempt.

AuthenticatingAuthority [in]

Pointer to a UNICODE_STRING that contains the name of the authority that authenticated the logon, normally the operating system domain name.

WorkstationName [in]

Pointer to a UNICODE_STRING that contains the name of the workstation used to attempt the logon.

UserSid [in, optional]

Pointer to the SID of the security principal attempting to logon.

LogonType [in]

A SECURITY_LOGON_TYPE value indicating the type of logon.

TokenSource [in]

Pointer to a TOKEN_SOURCE structure that specifies the source for the user token. This value must include the package name.

LogonId [in]

Pointer to the logon session identifier. LogonId is valid only if the logon attempt was successful.

Return value

This function does not return a value.


A pointer to the AuditLogon function is available in the LSA_SECPKG_FUNCTION_TABLE structure received by the SpInitialize function.


Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]



See also