Windows Event ID 4647 — User Initiated Logoff

Logged when a user explicitly logs off (Start → Logoff). Complements 4634, which covers all session terminations including automatic ones.

Why It Matters

Distinguishing between explicit logoffs and session timeouts can help correlate user activity with other events. When no 4647 is logged for an unexpectedly terminated session, the termination may have been forced.

Key Fields

Account NameThe user who initiated the logoff

Logon IDLinks to the original 4624 session

Investigation Tips

1.A 4634 without a preceding 4647 for an interactive session can mean the session was terminated by someone else or by the system.

Seeing Event ID 4647 in your own logs? Upload an .evtx file — EventPeeker flags user initiated logoff automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4624Logon event for this session

4634Session termination (always follows 4647)

Go deeper: the full Lateral Movement — Spreading Across the Network guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Lateral Movement — Spreading Across the Network guide →

See Event ID 4647 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user initiated logoff patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →