I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not.
The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time being, especially if you're not running any non-Microsoft Kerberos code.
First you need to know that you can only log on using a smart card in Windows when you authenticate to a domain using the Kerberos protocol. There is a cached logon mechanism in Windows XP so you can log on using your smart card when a domain controller is unavailable but Windows will attempt to acquire domain credentials automatically for you, under the hood, when you log on this way, and you won't be able to touch any other machine on the network using domain authentication until you authenticate to the DC.
Now for you guys that are not Kerberos gurus, there are three phases to Kerberos authentication:
1. Authentication Service Request (AS-REQ) & Reply, where the client presents credentials to a KDC and obtains a ticket-granting ticket.
2. Ticket-Granting Service Request (TGS-REQ) & Reply, where the client presents a TGT to a KDC and obtains a service ticket.
3. Application Request (AP-REQ or just normal application traffic), where the client presents a service ticket to an application and requests service.
In Windows, #1 generates security event ID 672 on the DC (on Windows 2000 the failure event is 675 but in Windows Server 2003 the failure event is the same as the success event, 672). Event 672 records who requested the ticket, their IP address, etc., and also includes the kind of credentials they used, called the "patype" or "preauth type", short for "pre-authentication type". Preauth types are discussed in the Kerberos RFC, RFC 4120 in section 7.5.2.
In Windows, #2 generates security event ID 673 on the DC (on Windows 2000, the failure event is 676, in WS03, it's 673)
In Windows, #3 causes a logon event (528 or 540) on the machine that is accessed, if the "application" is the machine itself, that is to say that the "service" is "host\machinename".
OK, now that the background is out of the way, back to the question. How do I know if it was a smart card logon?
Well, as mentioned, the preauth type is listed in event 672. Smart cards use public keys for pre-authentication (patype = PKINIT, which is 14, 15, 16, or 17 we learn from RFC 4120). So if you see one of these preauth types in this event on the DC, you know that it was a smart card logon- WRONG! You know actually just that it was a PKINIT logon.
However, currently the only logons built into Windows that use PKINIT preauth type over Kerberos, are smart card logons. So for the time being you can make the assumption.