ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying session management events in a professional SOC environment
Event ID 6279InformationWinLogonWindows

Windows Event ID 6279 – WinLogon: User Logon Session Destroyed

Event ID 6279 indicates that a user logon session has been destroyed in Windows. This informational event fires when a user logs off, disconnects from a remote session, or when the system terminates a session due to timeout or policy enforcement.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 6279WinLogon 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 6279 represents the destruction of a user logon session and is generated by the WinLogon process whenever a user session terminates. This event serves as the counterpart to logon events, providing a complete audit trail of user session lifecycle from creation to destruction. The event is logged in the Security event log and requires proper audit policy configuration to appear.

The event contains several critical data fields including the Security ID (SID) of the user whose session was destroyed, the Logon ID that uniquely identifies the session, the session name, and the logon type that indicates how the user originally authenticated. Additional context includes the source network address for remote sessions and the authentication package used during the original logon process.

Session destruction can occur through various mechanisms: normal user-initiated logoff, administrative session termination, automatic timeout due to inactivity policies, system shutdown or restart, remote desktop disconnection, or forced termination due to security policies. Each scenario provides valuable forensic information for security analysis and compliance reporting.

In Windows Server environments, particularly those running Remote Desktop Services or Citrix, Event ID 6279 becomes especially important for tracking concurrent user sessions and ensuring proper license compliance. The event helps administrators understand session utilization patterns and identify potential issues with session cleanup processes.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User-initiated logoff through Start menu or Ctrl+Alt+Del
  • Remote Desktop Protocol (RDP) session disconnection or termination
  • Automatic session timeout due to inactivity policies
  • Administrative termination of user sessions via Task Manager or command line
  • System shutdown or restart forcing session cleanup
  • Group Policy enforcement causing session termination
  • Terminal Services session limits being exceeded
  • Security policy violations triggering forced logoff
  • Network connectivity issues causing remote session drops
  • Application crashes or system instability affecting session integrity
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 6279 to understand the session termination context.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 6279 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 6279 in the Event IDs field and click OK
  5. Double-click on recent Event ID 6279 entries to examine details including:
    • Subject Security ID and Account Name
    • Logon ID (correlates with logon events)
    • Session Name and Logon Type
    • Source Network Address (for remote sessions)
  6. Use PowerShell to query multiple events efficiently:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=6279} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='LogonID';Expression={$_.Properties[3].Value}}
Pro tip: Cross-reference the Logon ID with corresponding logon events (4624, 4625) to build a complete session timeline.
02

Correlate Session Events with PowerShell Analysis

Use PowerShell to analyze session patterns and identify potential issues with session management.

  1. Create a comprehensive session analysis script:
# Get session destruction events from the last 24 hours
$StartTime = (Get-Date).AddDays(-1)
$SessionEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=6279
    StartTime=$StartTime
} | ForEach-Object {
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        UserName = $_.Properties[1].Value
        LogonID = $_.Properties[3].Value
        SessionName = $_.Properties[4].Value
        LogonType = $_.Properties[5].Value
        SourceIP = $_.Properties[6].Value
    }
}

# Group by user to identify patterns
$SessionEvents | Group-Object UserName | Sort-Object Count -Descending
  1. Analyze session duration by correlating with logon events:
# Find matching logon/logoff pairs
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartTime}
$SessionDurations = foreach ($Logoff in $SessionEvents) {
    $MatchingLogon = $LogonEvents | Where-Object {
        $_.Properties[7].Value -eq $Logoff.LogonID
    } | Select-Object -First 1
    
    if ($MatchingLogon) {
        [PSCustomObject]@{
            User = $Logoff.UserName
            LogonTime = $MatchingLogon.TimeCreated
            LogoffTime = $Logoff.TimeCreated
            Duration = $Logoff.TimeCreated - $MatchingLogon.TimeCreated
        }
    }
}

$SessionDurations | Sort-Object Duration -Descending
Warning: Large environments may generate thousands of session events. Use appropriate time filters to avoid performance issues.
03

Configure Advanced Audit Policies for Session Tracking

Ensure proper audit policy configuration to capture comprehensive session information.

  1. Check current audit policy settings using Group Policy or command line:
# Check current audit policy
auditpol /get /category:"Logon/Logoff"

# Enable detailed logon auditing if needed
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
  1. Configure Group Policy for enterprise environments:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand Audit PoliciesLogon/Logoff
    • Enable Audit Logon and Audit Logoff for both Success and Failure
  2. Verify audit policy application:
# Check effective audit policy
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name MaxSize

# Monitor audit policy changes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719} -MaxEvents 10
  1. Configure Security log retention settings in registry:
# Increase Security log size (value in bytes)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "MaxSize" -Value 104857600

# Set retention policy (0=overwrite as needed, 1=overwrite events older than X days)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "Retention" -Value 0
04

Implement Session Monitoring and Alerting

Set up proactive monitoring for unusual session termination patterns that might indicate security issues.

  1. Create a PowerShell script for continuous session monitoring:
# Session monitoring script
param(
    [int]$ThresholdMinutes = 60,
    [string]$LogPath = "C:\Logs\SessionMonitoring.log"
)

$StartTime = (Get-Date).AddMinutes(-$ThresholdMinutes)
$SuspiciousEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=6279
    StartTime=$StartTime
} | Where-Object {
    # Flag sessions terminated within 5 minutes of logon
    $LogonEvents = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4624
        StartTime=$StartTime
    } | Where-Object {$_.Properties[7].Value -eq $_.Properties[3].Value}
    
    if ($LogonEvents) {
        $Duration = $_.TimeCreated - $LogonEvents[0].TimeCreated
        $Duration.TotalMinutes -lt 5
    }
}

if ($SuspiciousEvents) {
    $Alert = "ALERT: {0} suspicious session terminations detected" -f $SuspiciousEvents.Count
    Add-Content -Path $LogPath -Value "$(Get-Date): $Alert"
    # Send email or trigger SIEM alert here
}
  1. Schedule the monitoring script using Task Scheduler:
# Create scheduled task for session monitoring
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\SessionMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

Register-ScheduledTask -TaskName "SessionMonitoring" -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal
  1. Configure Windows Event Forwarding for centralized monitoring:
# Enable WinRM for event forwarding
winrm quickconfig -force

# Configure event subscription (run on collector server)
wecutil cs SessionDestructionSubscription.xml

# Example subscription XML content:
# <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
#   <SubscriptionId>SessionDestruction</SubscriptionId>
#   <Query><![CDATA[<QueryList><Query><Select Path="Security">*[System[EventID=6279]]</Select></Query></QueryList>]]></Query>
# </Subscription>
05

Advanced Forensic Analysis and Troubleshooting

Perform deep forensic analysis when Event ID 6279 patterns indicate potential security incidents or system issues.

  1. Create comprehensive forensic analysis queries:
# Advanced forensic analysis script
$AnalysisStart = (Get-Date).AddDays(-7)

# Get all session events with detailed context
$SessionData = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=@(4624,4634,4647,6279)
    StartTime=$AnalysisStart
} | ForEach-Object {
    $EventData = @{}
    for ($i = 0; $i -lt $_.Properties.Count; $i++) {
        $EventData["Property$i"] = $_.Properties[$i].Value
    }
    
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        EventID = $_.Id
        UserName = $EventData.Property1
        LogonID = $EventData.Property3
        LogonType = $EventData.Property8
        SourceIP = $EventData.Property11
        ProcessName = $EventData.Property9
        AllProperties = $EventData
    }
}

# Identify anomalous patterns
$AnomalousPatterns = $SessionData | Group-Object UserName | Where-Object {
    $_.Count -gt 100 -or  # High session count
    ($_.Group | Group-Object SourceIP | Measure-Object).Count -gt 10  # Multiple source IPs
}
  1. Analyze session termination reasons and correlate with system events:
# Correlate with system events that might cause session termination
$SystemEvents = Get-WinEvent -FilterHashtable @{
    LogName='System'
    Id=@(1074,6005,6006,6008,6009)
    StartTime=$AnalysisStart
}

# Find sessions terminated near system events
$CorrelatedEvents = foreach ($SysEvent in $SystemEvents) {
    $NearbySessionEvents = $SessionData | Where-Object {
        $_.EventID -eq 6279 -and
        [Math]::Abs(($_.TimeCreated - $SysEvent.TimeCreated).TotalMinutes) -lt 5
    }
    
    if ($NearbySessionEvents) {
        [PSCustomObject]@{
            SystemEvent = $SysEvent.Id
            SystemTime = $SysEvent.TimeCreated
            AffectedSessions = $NearbySessionEvents.Count
            Users = ($NearbySessionEvents.UserName | Sort-Object -Unique) -join ', '
        }
    }
}
  1. Generate detailed forensic reports:
# Generate comprehensive session report
$Report = @{
    TotalSessions = ($SessionData | Where-Object EventID -eq 6279).Count
    UniqueUsers = ($SessionData.UserName | Sort-Object -Unique).Count
    TopUsers = $SessionData | Group-Object UserName | Sort-Object Count -Descending | Select-Object -First 10
    SessionsByHour = $SessionData | Group-Object {$_.TimeCreated.Hour} | Sort-Object Name
    RemoteSessions = $SessionData | Where-Object {$_.SourceIP -and $_.SourceIP -ne '-'}
    AnomalousPatterns = $AnomalousPatterns
    SystemCorrelations = $CorrelatedEvents
}

# Export to JSON for further analysis
$Report | ConvertTo-Json -Depth 3 | Out-File "C:\Forensics\SessionAnalysis_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"
Warning: Forensic analysis can be resource-intensive. Run during off-peak hours and consider using background jobs for large datasets.

Overview

Event ID 6279 is a standard Windows logon audit event that records when user logon sessions are destroyed or terminated. This event fires in the Security log whenever a user session ends, whether through normal logoff, remote desktop disconnection, session timeout, or forced termination by system policies. The event is part of Windows' comprehensive logon auditing framework and provides crucial information for tracking user session lifecycle management.

This event typically appears in high-security environments where detailed session tracking is required, such as financial institutions, healthcare organizations, and government agencies. System administrators rely on Event ID 6279 to monitor user activity patterns, investigate security incidents, and ensure compliance with organizational policies regarding session management.

The event contains detailed information about the terminated session, including the user account, session type, logon ID, and the reason for session destruction. Understanding this event is essential for maintaining proper audit trails and troubleshooting session-related issues in enterprise Windows environments.

Frequently Asked Questions

What does Windows Event ID 6279 mean and when does it occur?+
Event ID 6279 indicates that a user logon session has been destroyed or terminated in Windows. This informational event occurs whenever a user session ends, including normal logoffs, remote desktop disconnections, session timeouts, administrative termination, or system shutdowns. The event is logged in the Security event log and provides detailed information about the terminated session, including the user account, session type, and logon ID for correlation with other audit events.
How can I correlate Event ID 6279 with user logon events to track session duration?+
To correlate session destruction with logon events, match the Logon ID field from Event ID 6279 with corresponding logon events like 4624 (successful logon) or 4625 (failed logon). Use PowerShell to query both event types and join them on the Logon ID property. This allows you to calculate session duration by subtracting the logon time from the logoff time. The Logon ID is unique for each session and serves as the primary key for correlation across different audit events.
Why am I not seeing Event ID 6279 in my Security log?+
Event ID 6279 requires proper audit policy configuration to appear in the Security log. You need to enable 'Audit Logon' and 'Audit Logoff' policies under the Logon/Logoff category in Advanced Audit Policy Configuration. Use 'auditpol /set /subcategory:"Logoff" /success:enable' to enable it via command line, or configure it through Group Policy at Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff. Without these policies enabled, session termination events won't be logged.
What information is contained in Event ID 6279 and how can I extract it programmatically?+
Event ID 6279 contains several key data fields: Subject Security ID (user SID), Account Name, Account Domain, Logon ID (for correlation), Session Name, Logon Type (interactive, network, service, etc.), and Source Network Address for remote sessions. You can extract this information using PowerShell with Get-WinEvent and accessing the Properties array. For example, $_.Properties[1].Value contains the account name, $_.Properties[3].Value contains the Logon ID, and $_.Properties[5].Value contains the logon type. Create custom objects to structure this data for analysis and reporting.
How can I use Event ID 6279 for security monitoring and incident response?+
Event ID 6279 is valuable for security monitoring by tracking unusual session patterns that might indicate compromise or policy violations. Monitor for sessions with very short durations (potential failed attacks), multiple rapid session terminations from the same user (possible credential stuffing), sessions from unusual source IPs or times, and sessions terminated immediately after logon (potential automated attacks). Set up automated monitoring using PowerShell scripts or SIEM tools to alert on these patterns. During incident response, correlate Event ID 6279 with other security events to build a timeline of user activity and identify the scope of potential breaches.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including logon and session management eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies in Windows environmentshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-6279#windows-security#session-management

Related Windows Events

Windows Event Viewer showing system event logs on a monitoring dashboard
Event 6145
WinLogon
Windows EventInformation

Windows Event ID 6145 – WinLogon: User Logon Session Destroyed

Event ID 6145 indicates a user logon session has been destroyed by the Windows Logon service, typically occurring during normal logoff, system shutdown, or forced session termination.

March 189 min
Windows Event Viewer displaying Event ID 1502 user profile service errors on an administrator's monitoring workstation
Event 1502
WinLogon
Windows EventError

Windows Event ID 1502 – WinLogon: User Profile Service Failed to Load User Profile

Event ID 1502 indicates the User Profile Service failed to load a user profile during logon, typically due to corrupted profile data, insufficient permissions, or registry corruption.

March 189 min
Windows Event Viewer displaying system telemetry logs on a professional IT workstation
Event 1101
Winlogon
Windows EventInformation

Windows Event ID 1101 – Winlogon: User Logon Notification for Customer Experience Improvement Program

Event ID 1101 from Winlogon indicates user logon notifications for the Customer Experience Improvement Program (CEIP). This informational event tracks user sessions for telemetry purposes.

March 189 min
Windows Event Viewer showing system event logs on a monitoring dashboard
Event 5617
Winlogon
Windows EventInformation

Windows Event ID 5617 – Winlogon: User Logon Session Destroyed

Event ID 5617 indicates that a user logon session has been destroyed by the Windows Logon service, typically occurring during normal user logoff or session termination processes.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...