Logging Workstation Lock Events in Windows XP/2000

Hello.

I'm searching for a way to check how long a workstation has been 'Locked' via the standard Ctrl-Alt-Del windows locking mechanism. Poking around the forums here, I located this information:

(Msg. 5) Posted: Thu Jun 24, 2004 3:49 pm
Post subject: Re: "Lock Computer" Log [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

First auditing of logon events has to be enabled on the computer via Local Security Policy or possibly domain level if in a domain. Then you can search the security log in Event Viewer for Event ID's 528 [logon] and 538 [logoff] but only for logon type 7 which indictes the the computer was locked/unlocked. --- Steve

While this seems to be just the ticket, there is a problem. No event seems to be logged into the security log when the computer is initially locked; instead the 528:7 and 538:7 events are logged simultaneously when the computer is unlocked. Obviously, this does me no good, as I'm attempting to access a computer that is currently locked, and determine when it entered that state.

Is this simultaneous logging an error in our settings somewhere or is it an unfortunate part of windows? If the latter, is there any other way to check the duration of a lock?

I'm an administrator for a university with a busy computer lab. Our students have recently fallen into the habit of checking out a computer before class, locking it while they are away at class for 3 or 4 hours, then returning to have a workstation waiting for them instead of having to wait. A method to determine who is legitimately away for a few minutes to grab a snack from those who are denying other students access is crucial. We have a policy that prohibits locking a computer for more than 30 minutes, but no real way to enforce it.

Thank you in advance.

I am trying to detect a locked computer also.

No ideas?

Event id 538 lists logons(with logon type of 7 being unlocks). See http://www.ultimatewindowssecurity [...] ventid=528

Event id 551 records user initiated logoffs
http://www.ultimatewindowssecurity [...] ventid=551

Event id 528 lists successful logons(with logon type of 7 being locks).
http://www.ultimatewindowssecurity [...] ventid=528

With these 3, splitting across days you could track who logs on & off and when they do it using WMI. Have a look at Chapter 10, lesson 4 of the .NET framework 2.0 application development foundation book