Logging Workstation Lock Events in Windows XP/2000

Hello.

I'm searching for a way to check how long a workstation has been 'Locked' via the standard Ctrl-Alt-Del windows locking mechanism. Poking around the forums here, I located this information:

(Msg. 5) Posted: Thu Jun 24, 2004 3:49 pm
Post subject: Re: "Lock Computer" Log [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

First auditing of logon events has to be enabled on the computer via Local Security Policy or possibly domain level if in a domain. Then you can search the security log in Event Viewer for Event ID's 528 [logon] and 538 [logoff] but only for logon type 7 which indictes the the computer was locked/unlocked. --- Steve

While this seems to be just the ticket, there is a problem. No event seems to be logged into the security log when the computer is initially locked; instead the 528:7 and 538:7 events are logged simultaneously when the computer is unlocked. Obviously, this does me no good, as I'm attempting to access a computer that is currently locked, and determine when it entered that state.

Is this simultaneous logging an error in our settings somewhere or is it an unfortunate part of windows? If the latter, is there any other way to check the duration of a lock?

I'm an administrator for a university with a busy computer lab. Our students have recently fallen into the habit of checking out a computer before class, locking it while they are away at class for 3 or 4 hours, then returning to have a workstation waiting for them instead of having to wait. A method to determine who is legitimately away for a few minutes to grab a snack from those who are denying other students access is crucial. We have a policy that prohibits locking a computer for more than 30 minutes, but no real way to enforce it.

Thank you in advance.
8 answers Last reply
More about logging workstation lock events windows 2000
  1. Did you find out how to discover when a workstation was locked?
    alex@sbrha.org
  2. I am trying to detect a locked computer also.

    No ideas?
  3. Event id 538 lists logons(with logon type of 7 being unlocks). See http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528

    Event id 551 records user initiated logoffs
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=551

    Event id 528 lists successful logons(with logon type of 7 being locks).
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528

    With these 3, splitting across days you could track who logs on & off and when they do it using WMI. Have a look at Chapter 10, lesson 4 of the .NET framework 2.0 application development foundation book
  4. Event id 538 lists logons(with logon type of 7 being unlocks). See http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528

    Event id 551 records user initiated logoffs
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=551

    Event id 528 lists successful logons(with logon type of 7 being locks).
    http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528

    With these 3, splitting across days you could track who logs on & off and when they do it using WMI. Have a look at Chapter 10, lesson 4 of the .NET framework 2.0 application development foundation book
  5. No hard feelings, just thought of a funny joke!

    Community user asks: What is an Orange?
    thomascourna replies: A Banana is a curved yellow fruit. See http://www.funnysigns.net/files/banana-curved-yellow-fruit-400x282.jpg

    Anyways, I am still looking for an answer to "How to log windows lock event"
  6. Nice one ReallyDude

    you can audit your windows lock and unlock event when you enable

    Under Local Security Policy:

    LocalPolicies>AuditPolicy>Audit Account logon Events : Success,Failure
    LocalPolicies>AuditPolicy>Audit Logon Events : Success,Failure

    After you lock and unlock the workstation, look under
    Computer Management>Event Viewer>Windows Logs>Security.

    Look for Logon, Logoff on Task Category.

    Hope this might help.

    sdpages..
  7. eventID 4800 is for Lock Workstation
    eventID 4801 is The workstation was unlocked.
  8. What's with resurrecting 4 year old threads?
Ask a new question

Read More

Computers Workstations Windows