Looking to understand the TargetLinkedLogonId added to the Security Audit event in Windows 10 (and the associated concept of paired logon sessions) ref: https://learn.microsoft.com/en-us/windows/device-security/auditing/event-4624
A console (interactive) login to windows 10 with a local admin account produces the following events:
4648 (Logon Attempt with explicit credentials)
- SubjectLogonId = 0x3e7
4624 (Logon success)
- SubjectLogonId = 0x327
- TargetLogonId = 0xbe87a9
- TargetLinkedLogonId = 0xbe87cc
- ElevatedToken = Yes
4624 (Logon success)
- SubjectLogonId = 0x327
- TargetLogonId = 0xbe87cc
- TargetLinkedLogonId = 0xbe87a9
- ElevatedToken = No
4672 (Special Privileges Assigned)
- SubjectLogonId = 0xbe87a9
So there are two logon success events matching the logon attempt event, each with different sessions (different TargetLogonId). The two sessions are linked to each other (TargetLinkedLogonId). Something that seems strange is that the 4672 (Special Privileges) event is linked to the 4624 event that has ElevatedToken=No. Wouldnt the session with the elevated token be the session that gets the Special Privileges?
Also in general, why are there two sessions created for a local admin login?