EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4634Audit SuccessSecurity

Windows Event ID 4634Account Logoff

Logged when an account's logon session ends. Paired with 4624 it lets you reconstruct the full duration of a session.

Why It Matters

On its own, 4634 is low-value. Combined with 4624, it lets you calculate session duration — useful for spotting abnormally long interactive sessions or overnight access that shouldn't exist.

Key Fields

Logon IDLinks back to the matching 4624 event for this session
Logon TypeSame types as 4624 — helps identify which type of session ended
Account NameThe account whose session ended

Investigation Tips

  1. 1.Join 4624 and 4634 on Logon ID to get session start and end times.
  2. 2.Note that network (Type 3) logoffs are often not reliably logged — missing 4634s for network logons are normal.
  3. 3.Long gaps between 4624 and 4634 on an admin account late at night warrant investigation.

Related Event IDs

4624Account logon — the matching session start
4647User-initiated logoff

See Event ID 4634 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects account logoff patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →