Detecting Windows Physical Console Logon
I'm trying to find a way to detect a logon where someone is physically at the machine. I know you can do it with Type 2 but the issue is that events get logged when services make a logon request such as when someone logs on through a service.
One way I found that might be accurate is when Source Network Address shows a local IP like 127.0.0.1
Is this accurate enough or is there another way to do it?
Solution 1:
Take a look in the following log:
Applications and Services Logs
/ Microsoft
/ Windows
/ TerminalServices-LocalSessionManager
/ [...]Operational
Event ID 21 Remote Desktop Services: Session logon succeeded (with LOCAL
in "Address").
Event ID 25 Remote Desktop Services: Session reconnection succeeded may be interesting too, typically if someone connects remotely first and then reconnect from the local computer (with LOCAL
in "Address" too).
However, keep in mind that if someone remote controls the computer with a third-party tool for example, and logs on afterwards Windows will not be able to detect this as a remote connection of course.