We are using Window 7 Pro PC's and Server 2008r2
I need to identify when a user has logged on/off a PC. I have extracted and saved the Security Event Log and I am viewing it through custom view with the following specified
Event SourcesMicrosoft Windows security auditing
Event ID's 4624,4634,4800,4801
KeywordsAudit Success
We lock all workstations via group policy after 10 minutes of inactivity. I cannot see any 4800 or 4801 ID's listed. However there are plenty of 4624 ID's with Logon Type 7 - which does signify an unlock I believe.
Can anyone explain this in simple (and I mean very simple !) terms ?
Additionally I have also been using Find in the Custom view to find only the SID's for one particular user. I have discovered many instances of Type 7 Logon and Logoff immediately after with the same timestamp. This then is followed by another Type 7 logon for the same user SID.
Can anyone explain what is happening here in simple terms please ?
Basically I need to find when this user has logged on/off their PC and I becoming unstuck on this.
I have scoured websites including technet and cannot find an explanation regarding what is happening here - plenty of information about Event ID's and Logon types but zero help.
Any help would be much appreciated !
Thanks
Simon
Can anyone explain this in simple (and I mean very simple !) terms ?
Do you have the correct auditing enabled so that the 4800 and 4801 events are generated?
If you look here http//
The following MS article is linked https://
So, are you auditing for "Other Logon/Logoff Events"?
I need to identify when a user has logged on/off a PC
The
4634 An account was logged off.
and ID
Nice list of event IDs across different Windows OS versions (page 20)
.. However there are plenty of 4624 ID's with Logon Type 7 - which does signify an unlock I believe….
Correct. Log on type 7 means "Unlock (i.e. unnattended workstation with password protected screen saver)"
..if the workstation is a member of a domain, at this point it’s possible to authenticate to this computer using a local account or a domain account – or a domain account from any domain that this domain trusts. When the user logs on with a domain account, since the user specifies a domain account, the local workstation can’t perform the authentication because the account and its password hash aren’t stored locally. So the workstation must request authentication from a domain controller via Kerberos. An authentication event (672/4768) is logged on which ever domain controller handles the authentication request from the workstation. Once the domain controller tells the workstation that the user is authenticated, the workstation proceeds with creating the logon session and a records a logon event (528/4624) in its security log.
What if we logon to the workstation with an account from a trusted domain? In that case one of the domain controllers in the trusted domain will handle the authentication and log 672/4768 there, with the workstation logging 528/4624 the same as above.
In all such “interactive logons”, during logoff, the workstation will record a “logoff initiated” event (551/4647) followed by the actual logoff event (538/4634). You can correlate logon and logoff events by Logon ID which is a hexadecimal code that identifies that particular logon session…
..After logging on to a workstation you can typically re-connect to shared folders on a file server. What gets logged in this case? Remember, whenever you access a Windows computer you must obtain a logon session – in this case a “network logon” session. You might assume that the logon session begins when you connect to the share and then ends when you disconnect from it – usually when logging off your local workstation. Unfortunately this is not the case Windows servers only keep network logon sessions alive for as long as you have a file open on the server. This accounts for repeated logon/logoff events..
which should explain your multiple logon/off events.