Time since Windows 7 was last unlocked
Is it possible to determine the time since a Windows 7 machine was last unlocked. By unlocked I mean the user locks the machine by clicking Start->ShutDown->Lock or by pressing the Windows key + L, and then at a later time unlocks the machine by clicking on the user icon (and depending on settings typing in password)?
Open Event Viewer, browse to Windows Logs > Security and look for an event with ID 4624:
Logon Type: 7 indicates a workstation unlock.
To show only Workstation Unlock events (i.e. Logon Type: 7):
- Open Event Viewer.
- In the right pane, click "Create Custom View".
- Click the "XML" tab.
- Check "Edit query manually".
- Click "Yes" at the confirmation box.
-
Paste in this XML:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[ EventData[Data[@Name='LogonType']='7'] and System[(EventID='4624')] and System[TimeCreated[timediff(@SystemTime) <= 604800000]] <!-- Show only events in the last seven days --> ] </Select> </Query> </QueryList> - Click OK.
- Enter a name and description, e.g. "Unlock times", "Times when a user unlocked the computer".
- Click OK.
- Now, whenever you want to know the time you unlocked the computer, open the "Custom Views" folder in the left pane and select "Unlock times" (or whatever you named the filter in Step 8).
Source: Filtering Security Logs by User and Logon Type
Powershell 6 one-liner (run as administrator):
(get-winevent -FilterHashtable @{Logname='Security';ID=4624;'LogonType'='7'} -MaxEvents 1).TimeCreated
Earlier versions of Powershell:
(Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).date} | where {$_.properties[8].value -eq 7})[0].TimeCreated