EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4647Audit SuccessSecurity

Windows Event ID 4647User Initiated Logoff

Logged when a user explicitly logs off (Start → Logoff). Complements 4634, which covers all session terminations including automatic ones.

Why It Matters

Distinguishing between explicit logoffs and session timeouts can help correlate user activity with other events. When no 4647 is logged for an unexpectedly terminated session, the termination may have been forced.

Key Fields

Account NameThe user who initiated the logoff
Logon IDLinks to the original 4624 session

Investigation Tips

  1. 1.A 4634 without a preceding 4647 for an interactive session can mean the session was terminated by someone else or by the system.

Related Event IDs

4624Logon event for this session
4634Session termination (always follows 4647)

See Event ID 4647 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user initiated logoff patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →