Detecting Windows Physical Console Logon

windows active-directory windows-event-log logging audit

I'm trying to find a way to detect a logon where someone is physically at the machine. I know you can do it with Type 2 but the issue is that events get logged when services make a logon request such as when someone logs on through a service.

One way I found that might be accurate is when Source Network Address shows a local IP like 127.0.0.1

Is this accurate enough or is there another way to do it?


Solution 1:

Take a look in the following log:

Applications and Services Logs/ Microsoft / Windows / TerminalServices-LocalSessionManager / [...]Operational

Event ID 21 Remote Desktop Services: Session logon succeeded (with LOCAL in "Address").

XML representation of Event ID 21

Event ID 25 Remote Desktop Services: Session reconnection succeeded may be interesting too, typically if someone connects remotely first and then reconnect from the local computer (with LOCAL in "Address" too).

XML representation of Event ID 25

However, keep in mind that if someone remote controls the computer with a third-party tool for example, and logs on afterwards Windows will not be able to detect this as a remote connection of course.

Related

How to hide ticks label in python but keep the ticks in place?
Why can't I run ausearch (part of auditd) remotely over SSH?
IIS cannot serve images due to impersonation?
PHP Manager for IIS fails to install
Certbot (LetsEncrypt) on custom port (Nginx OR apache)
What would cause mysqlcheck to incorrectly report a table as undamaged?
Can't start apache in linux, because of proxy module
Windows Shared Storage / External SAS3 / JBOD
*tiny* SOHO fileserver upgrade recommendations in 2012? [closed]
How to continue the code on the next line in VBA
Is my server being hacked in?
/etc/crontab or any user crontab is not being executed