FireDaemon Zero can optionally add log entries to the Windows Application Event Log that record significant events such as when a user interactively switches to or from Session 0.

By examining these event log entries, administrators can identify who switched to Session 0, reverted from Session 0, or was returned to their logged-in session.

Preference settings are available to enable or disable this event logging behaviour.


The FireDaemon Zero Global Preferences section is used to configure system security and logging policies:

  1. In the System tray, right-click the FireDaemon Zero icon and select Options.

  2. Click Auditing.

    FireDaemon Zero Preferences Auditing
  3. Use the checkboxes to enable or disable the corresponding logging action, then click OK.

    The following table describes the entries that FireDaemon Zero will record in the Application Event Log in each circumstance. In all cases, the Source of the event is set to FireDaemon Zero.

ActionEvent IDTask Category (ID)Event MessageLevelEvent User InformationReporting FireDaemon Tool
Switches to0Session 0 (1)User <user> switches to Session 0.Information<Session User>FDZero Tray
Reverts from1Session 0 (1)User reverts from Session 0 to their logged-in session.Information
FDZero Tray
Kicks out2Session 0 (1)User <user> kicks Session 0.Information<Process User>FDUI0Control
Takes control over
(i.e. steals)
3Session 0 (1)User <user> takes control of Session 0.Information<Session User><Session User>
Returned to logged-on session, e.g. as a result of a timeout.
4Session 0 (1)User is returned to his or her logged-in session.Information
Notification (for Session 0):
4778Other Logon/ Logoff Events (3107)Session 0 was reconnected to a Window Station.Success
Notification (for Session 0):
4779Other Logon/ Logoff Events (3107)Session 0 was disconnected from a Window Station.Success

FireDaemon Zero uses the following event categories:

Event CategoryDescription
ID 1: Session 0“Session 0” is the event category that all FireDaemon products use when reporting Session 0 related events.

ID 3107: Other Logon/Logoff Events

The “Other Logon/Logoff Events” category, together with specific event IDs, is used to imitate the entries that the Windows Security Auditing system reports.