Audit Policy: Logon-Logoff: Other Logon/Logoff Events This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: ? 4649: A replay attack was detected. ? 4778: A session was reconnected to a Window Station. ? 4779: A session was disconnected from a Window Station. ? 4800: The workstation was locked. ? 4801: The workstation was unlocked. ? 4802: The screen saver was invoked. ? 4803: The screen saver was dismissed. ? 5378: The requested credentials delegation was disallowed by policy. ? 5632: A request was made to authenticate to a wireless network. ? 5633: A request was made to authenticate to a wired network. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default.aspx/kb/947226.

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff!Audit Policy: Logon-Logoff: Other Logon/Logoff Events (2) WMI: ###