Windows Event ID 6145 – WinLogon: User Logon Session Destroyed

Start by examining the specific details of Event ID 6145 to understand the session termination context.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → System
3. Filter for Event ID 6145 by right-clicking System → Filter Current Log
4. Enter 6145 in the Event IDs field and click OK
5. Double-click on recent Event ID 6145 entries to examine details
6. Note the User field showing which account's session was destroyed
7. Check the Session ID to correlate with other session events
8. Review the Logon Type to understand the original session type

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=6145} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -AutoSize

Analyze Event ID 6145 alongside related logon and logoff events to understand the complete session lifecycle.

1. Query for related authentication events using PowerShell:

# Get session lifecycle events for the last 24 hours
$StartTime = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security','System'; Id=4624,4634,4647,6145; StartTime=$StartTime} | Sort-Object TimeCreated | Select-Object TimeCreated, Id, LogName, Message

2. In Event Viewer, create a custom view:
3. Right-click Custom Views → Create Custom View
4. Select By log and check both Security and System logs
5. In the Event IDs field, enter: 4624,4634,4647,6145
6. Set appropriate time range and click OK
7. Name the view "Session Lifecycle Events" and save
8. Review the chronological sequence of events for specific users
9. Look for patterns indicating forced terminations or unusual session behavior

Implement monitoring to detect unusual session termination patterns that might indicate security issues or system problems.

1. Create a PowerShell script to analyze session termination frequency:

# Analyze Event ID 6145 patterns over the last 7 days
$StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=6145; StartTime=$StartTime}

# Group by user and count terminations
$UserStats = $Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $User = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    [PSCustomObject]@{
        User = $User
        TimeCreated = $_.TimeCreated
        SessionId = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SessionId'} | Select-Object -ExpandProperty '#text')
    }
} | Group-Object User | Select-Object Name, Count, @{Name='LastTermination';Expression={($_.Group | Sort-Object TimeCreated -Descending | Select-Object -First 1).TimeCreated}}

$UserStats | Sort-Object Count -Descending

2. Set up Windows Task Scheduler to run monitoring scripts regularly
3. Configure Event Log subscriptions for centralized monitoring in enterprise environments
4. Use Performance Monitor to track session-related counters
5. Review Group Policy settings that might cause frequent session terminations

When Event ID 6145 occurs unexpectedly, investigate potential causes of forced session termination.

1. Check for administrative session termination tools usage:

# Look for process termination events around the same time
$SessionEvent = Get-WinEvent -FilterHashtable @{LogName='System'; Id=6145} -MaxEvents 1
$EventTime = $SessionEvent.TimeCreated
$TimeWindow = 300 # 5 minutes before and after

# Check for process termination events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689; StartTime=$EventTime.AddSeconds(-$TimeWindow); EndTime=$EventTime.AddSeconds($TimeWindow)} | Select-Object TimeCreated, Message

2. Review system event logs for hardware or driver issues:

# Check for system errors around session termination
Get-WinEvent -FilterHashtable @{LogName='System'; Level=2,3; StartTime=$EventTime.AddMinutes(-10); EndTime=$EventTime.AddMinutes(10)} | Select-Object TimeCreated, Id, LevelDisplayName, ProviderName, Message

3. Examine Group Policy application logs for policy-enforced terminations
4. Check Terminal Services logs on server systems for RDP-related terminations
5. Review Application logs for software that might trigger session cleanup
6. Analyze network connectivity logs if dealing with remote sessions

Implement comprehensive session monitoring to proactively track and analyze Event ID 6145 occurrences.

1. Enable advanced audit policies for detailed session tracking:

# Configure audit policies via PowerShell
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

2. Configure registry settings for enhanced session logging:

# Enable additional session tracking (requires restart)
New-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -Name "AuditBaseObjects" -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -Name "FullPrivilegeAuditing" -Value 1 -PropertyType DWORD -Force

3. Set up Windows Event Forwarding (WEF) for centralized collection:
4. Create custom event subscriptions targeting Event ID 6145
5. Configure SIEM integration for automated analysis and alerting
6. Implement PowerShell-based monitoring with email notifications:

# Monitor for unusual session termination patterns
$Threshold = 10 # Alert if more than 10 terminations per hour
$HourlyCount = (Get-WinEvent -FilterHashtable @{LogName='System'; Id=6145; StartTime=(Get-Date).AddHours(-1)}).Count

if ($HourlyCount -gt $Threshold) {
    # Send alert email or log to monitoring system
    Write-EventLog -LogName Application -Source "Custom Monitor" -EventId 1001 -EntryType Warning -Message "High session termination rate detected: $HourlyCount events in the last hour"
}