8
3
Is there a way to get a list of the following times:
whenever windows is unlocked
in the past week?
I've tried poking in the event log, to no avail.
Many thanks!
Silver Dragon
Posted 2013-01-06T14:18:31.587
Reputation: 690
21
Event ID 4800 should correspond to The workstation was locked, and similarly Event ID 4801 should correspond to The workstation was unlocked.
If you don't see them in the Event Viewer, for recording future events try opening the Local Group Policy Editor (Start / Run / gpedit.msc), navigating to:
Computer Configuration / Windows Settings / Security Settings / Advanced Audit Policy Configuration / System Audit Policies - Local Group Policy Object / Logon/Logoff / Audit Other Logon/Logoff Events
and enabling the checkboxes for Success and Failure:
Karan
Posted 2013-01-06T14:18:31.587
Reputation: 51 857
1
I found events corresponding to locking and unlocking in my Windows 7 Security Event log
4634 Logoff with (WinKey +L)
4624 and 4672 unlocking.
Guy Thomas
Posted 2013-01-06T14:18:31.587
Reputation: 3 160
0
With Windows 10 and active directory, selecting an event ID and username in the filter did not work, but using the following in XML does work:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4648)] and EventData[Data[@Name='TargetUserName']='PUT_YOUR_USERNAME_HERE']]</Select>
</Query>
</QueryList>
kevinf
Posted 2013-01-06T14:18:31.587
Reputation: 524
It's a little odd that, in the Explain tab the event Ids are not shown, as I'm sure that this information would be helpful when auditing the logs. – Dan Atkinson – 2016-10-21T15:25:50.363
3Who the hell thought something like this shouldn't be logged by default?! – ThiefMaster – 2016-12-18T01:28:23.383