Timeline for logon/...
 
Notifications
Clear all

Timeline for logon/logoff events

12 Posts
7 Users
0 Likes
2,923 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Curious to know if anyone has had to do this before?

I've been asked to plot a timeline of a user logging on and off for the last 6 months. So I go straight to the security.evtx (Windows 7 Pro OS) for the logon and logoff events but I haven't got a great tool for this type of work or possibly I'm not experienced enough using this particular tool (Globe ELX).

Any tips/thoughts?

Edit I've isolated the event types (4634 & 4624) that I want and using keywords from the description isolated the logon / logoff events for the correct user, but have hit a slight snag in that Windows gives the same event ID to different logon/loggoff events depending on other parameters.

ie logon type 2 is the normal where you type your password in to your computer, type 7 is when you simply unlock your screen saver and type 11 is when you log on to a computer that is normally part of the domain but it's not currently connected so it uses cached information.

I basically need to isolate it to the type 2 logon/logoff events but Globe doesn't give me that level of filter.

I feel a headache coming on, far too many logs to do it manually either before someone suggests that )

 
Posted : 11/03/2013 12:05 pm
(@chris55728)
Posts: 49
Eminent Member
 

I did something similar to this recently.

The Event IDs you're after are 4647 (Logoff) and 4624 (Logon).

You can do everything you need from the standard Event Viewer.

- Open Event Viewer.
- Click on 'Create Custom View…'.
- Change the 'Logged' option to be your specific timeframe (or leave it as it is and then you can filter out what you don't need at a later time).
- Tick the 'Information' box.
- Select the 'Event Logs' dropdown and tick 'Windows Logs' then 'Security'.
- Overtype the text '<All Event IDs>' with 4647,4624.
- Click on 'OK'.
- Name your custom view and click on 'OK'.
- The view will automatically show the results of your custom view.
- Highlight all the records you wish to export.
- Right click on the selected records and select 'Copy' 'Copy Table'.
- Open Excel.
- Right click in a cell and select Paste.
- You should have 5 columns of information.
- Might be worth changing the format of the date and time column (should be B) to include seconds.

If the logs you want have been exported from another machine, you can still load them into Event Viewer by right clicking where it says 'Event Viewer (Local)' and selecting 'Open Saved Log…'.

Hope that helps.

Cheers,

Chris

 
Posted : 11/03/2013 12:38 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Thanks Chris nice simple and clear cut very easy to follow.

However I still have the issue of multiple logon types and no way to filter certain types out as I don't want to have the screensaver logons mixed in with the genuine first time logon events, these both fall under the Event ID 4624 but with different type ID's.

Also there doesn't appear to be a way to filter based on the 'Account Name' field with the standard event viewer. With Globe I'm able to use keywords from the details pane to further filter my results.

 
Posted : 11/03/2013 12:50 pm
(@athulin)
Posts: 1156
Noble Member
 

Any tips/thoughts?

Doesn't Log Parser do .evtx files? I know that's the tool I use when I need something tricky done on .evt files, so it would probably be the first I'd try in this kind of situation.

Even if it's just extracting all the data and converting it to a format I can feed to Access or suchlike.

The learning curve is fairly steep though – you need to spend some time learning how things work. The Log Parser book helps – chapter 3 is all about event log access

 
Posted : 11/03/2013 3:41 pm
(@randomaccess)
Posts: 385
Reputable Member
 

I've looked into this before on my domain workstation.
I found that the event log indicated login events when I wasn't there (seemingly system related) and nothing substantial relating to log off events.

I read somewhere that windows doesn't realibly log log off events but I can't remember where. If I find it ill post up here.

Either way, make sure to include shutdown times (maybe parse restore points using ripxp) also can add in last login times from Sam as some level of confirmation.
Not to mention standby, hibernate and auto lock if it was active.

Sorry for adding more to than the original question asked for but I'd be keen to see what you've come up with.

 
Posted : 11/03/2013 3:49 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Yeah I read that Windows was less than reliable when it comes to these events too.

Given the time frame I have I may have to simply include all the logon events regardless of type and then try and filter within excel somehow.

The logon events are more important that the logoff or shutdowns as it's the start time for each day that is of interest here so for simplicities sake I might start with them and maybe filter for the time of day to knock out most of the screen saver logon events and see if that works.

 
Posted : 12/03/2013 4:19 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Using logparser

logparser.exe -ievt -ocsv "select * from eventlog.evtx" > output.csv

There are other events of interest than those two - screen lock/unlock for example is real handy.

 
Posted : 13/03/2013 12:32 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I read somewhere that windows doesn't realibly log log off events but I can't remember where. If I find it ill post up here.

That issue applied to event ID 538 records, which is from XP/2003
http//www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=538

From here
http//blogs.msdn.com/b/ericfitz/archive/2007/05/08/the-trouble-with-logoff-events.aspx

"This causes the reference counts to never drop to zero, and prevents us from generating the logoff event as a result."

I hope that clears that issue up a bit for all concerned…I wouldn't want "…I heard someplace…" to become a "fact".

Either way, make sure to include shutdown times (maybe parse restore points using ripxp)…

How would this work, given that the OP stated that the system was Windows 7?

Thanks.

 
Posted : 13/03/2013 5:17 am
(@randomaccess)
Posts: 385
Reputable Member
 

I read somewhere that windows doesn't realibly log log off events but I can't remember where. If I find it ill post up here.

That issue applied to event ID 538 records, which is from XP/2003
http//www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=538

From here
http//blogs.msdn.com/b/ericfitz/archive/2007/05/08/the-trouble-with-logoff-events.aspx

"This causes the reference counts to never drop to zero, and prevents us from generating the logoff event as a result."

I hope that clears that issue up a bit for all concerned…I wouldn't want "…I heard someplace…" to become a "fact".

Either way, make sure to include shutdown times (maybe parse restore points using ripxp)…

How would this work, given that the OP stated that the system was Windows 7?

Thanks.

Sorry, was sitting at a ferry terminal in Thailand. Was difficult to do the proper linkage on my phone but I appreciate you finding it and posting it up Harlan.

And sorry, didn't see the os.
Parse vscs then, but the sentiment still stands. If possible, parse shutdown times from previous versions of the registry.

 
Posted : 13/03/2013 1:39 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

If you want to filter on account names, better to convert to CSV/Text format, fire up a command shell, then type

type filename.csv | find /i "accountname" >newfilename.csv

This will produce a new file by stringmatching "accountname" to the file content. If you're using Linux, use grep instead.

 
Posted : 16/03/2013 6:16 pm
Page 1 / 2
Share: