Windows Event ID 4634 — Account Logoff

Logged when an account's logon session ends. Paired with 4624 it lets you reconstruct the full duration of a session.

Why It Matters

On its own, 4634 is low-value. Combined with 4624, it lets you calculate session duration — useful for spotting abnormally long interactive sessions or overnight access that shouldn't exist.

Key Fields

Logon IDLinks back to the matching 4624 event for this session

Logon TypeSame types as 4624 — helps identify which type of session ended

Account NameThe account whose session ended

Investigation Tips

1.Join 4624 and 4634 on Logon ID to get session start and end times.
2.Note that network (Type 3) logoffs are often not reliably logged — missing 4634s for network logons are normal.
3.Long gaps between 4624 and 4634 on an admin account late at night warrant investigation.

Seeing Event ID 4634 in your own logs? Upload an .evtx file — EventPeeker flags account logoff automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4624Account logon — the matching session start

4647User-initiated logoff

Go deeper: the full Lateral Movement — Spreading Across the Network guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Lateral Movement — Spreading Across the Network guide →

See Event ID 4634 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects account logoff patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →