I am writing a windows service which monitors accounts login and logoff events within a domain(Windows 2012). The login event id is 4624 and the logoff event id is 4634. But however I am seeing these two events in pairs i.e the event 4624 immediately followed by the event id 4634. What should be the approach to determine if the user is actually logged off from a machine in a domain? Note: Interested in only interactive logon sessions (not network, service or others)
You might want to look at event 4647, which is logged whenever a user logs off. If interactive sessions are all you're interested in, you should also limit yourself to relevant logon types (2, 7, 10, 11) in the 4624 event.