Sign in with
Sign up | Sign in
Your question

Logging Workstation Lock Events in Windows XP/2000

Last response: in Windows 2000/NT
Share
April 26, 2006 9:28:23 PM

Hello.

I'm searching for a way to check how long a workstation has been 'Locked' via the standard Ctrl-Alt-Del windows locking mechanism. Poking around the forums here, I located this information:

(Msg. 5) Posted: Thu Jun 24, 2004 3:49 pm
Post subject: Re: "Lock Computer" Log [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

First auditing of logon events has to be enabled on the computer via Local Security Policy or possibly domain level if in a domain. Then you can search the security log in Event Viewer for Event ID's 528 [logon] and 538 [logoff] but only for logon type 7 which indictes the the computer was locked/unlocked. --- Steve

While this seems to be just the ticket, there is a problem. No event seems to be logged into the security log when the computer is initially locked; instead the 528:7 and 538:7 events are logged simultaneously when the computer is unlocked. Obviously, this does me no good, as I'm attempting to access a computer that is currently locked, and determine when it entered that state.

Is this simultaneous logging an error in our settings somewhere or is it an unfortunate part of windows? If the latter, is there any other way to check the duration of a lock?

I'm an administrator for a university with a busy computer lab. Our students have recently fallen into the habit of checking out a computer before class, locking it while they are away at class for 3 or 4 hours, then returning to have a workstation waiting for them instead of having to wait. A method to determine who is legitimately away for a few minutes to grab a snack from those who are denying other students access is crucial. We have a policy that prohibits locking a computer for more than 30 minutes, but no real way to enforce it.

Thank you in advance.
August 16, 2006 2:54:03 PM

Did you find out how to discover when a workstation was locked?
alex@sbrha.org
May 9, 2007 5:16:09 PM

I am trying to detect a locked computer also.

No ideas?
Related resources
May 29, 2009 1:30:43 PM

Event id 538 lists logons(with logon type of 7 being unlocks). See http://www.ultimatewindowssecurity.com/securitylog/ency...

Event id 551 records user initiated logoffs
http://www.ultimatewindowssecurity.com/securitylog/ency...

Event id 528 lists successful logons(with logon type of 7 being locks).
http://www.ultimatewindowssecurity.com/securitylog/ency...

With these 3, splitting across days you could track who logs on & off and when they do it using WMI. Have a look at Chapter 10, lesson 4 of the .NET framework 2.0 application development foundation book
May 29, 2009 1:31:37 PM

Event id 538 lists logons(with logon type of 7 being unlocks). See http://www.ultimatewindowssecurity.com/securitylog/ency...

Event id 551 records user initiated logoffs
http://www.ultimatewindowssecurity.com/securitylog/ency...

Event id 528 lists successful logons(with logon type of 7 being locks).
http://www.ultimatewindowssecurity.com/securitylog/ency...

With these 3, splitting across days you could track who logs on & off and when they do it using WMI. Have a look at Chapter 10, lesson 4 of the .NET framework 2.0 application development foundation book
January 17, 2013 7:57:09 PM

Nice one ReallyDude

you can audit your windows lock and unlock event when you enable

Under Local Security Policy:

LocalPolicies>AuditPolicy>Audit Account logon Events : Success,Failure
LocalPolicies>AuditPolicy>Audit Logon Events : Success,Failure

After you lock and unlock the workstation, look under
Computer Management>Event Viewer>Windows Logs>Security.

Look for Logon, Logoff on Task Category.

Hope this might help.

sdpages..
January 17, 2013 8:05:08 PM

eventID 4800 is for Lock Workstation
eventID 4801 is The workstation was unlocked.
January 17, 2013 8:22:21 PM

What's with resurrecting 4 year old threads?
!