How can I use Event Viewer to confirm login times filtered by User?
Solution 1:
The default configuration makes it rather messy. This is because Windows also tracks anytime you have to login to network computers. It also tracks everytime your computer account, not the user account, creates a login session.
You should use the audit account logon option and not the audit logon option.
The events you are looking for will have your account's Fully Qualified Domain Name. For example, if you are not on a domain, the search text you are looking for is computer_name / account_name.
edit
Another idea is to create login and logoff scripts. Depending on your edition of Windows 7, you can use gpedit.msc
to bring up the Group Policy Console.
Then you'll just need a batchfile that has the command logevent "My login/logoff event" -e 666
. This event will show up in the Application Log
edit
This will be easier if you are not on a domain. If you go under Local Security / Local Policies / Security options, look for the "Force Audit..." option. I forgot the name of it. But disable it. That will make the Security logs less verbose, since a user logging in at the console, in some cases, share the same Event ID . Some Event IDs you want to look for:
- Event 4647 - this is when you hit the logoff, restart, shutdown button. Windows update restarting your computer also sometimes sets off this event :(
- Event 4648 - this is when a process(which includes the login screen) uses your explicit credentials, rather than say a token, to login. This includes the Runas command and a lot of times, backup programs.
- Event 4800 - When your workstation is locked, like pressing WIN + L
- Event 4801 - When your workstation is unlocked
Generally, you can get by using events 4647 and 4648. Unfortunately there isn't a sure fire method since there are a thousand things that happen when you login and logoff your computer.
For that it is worth, at work, we look for the login script to fire and at logoff, there are two programs as well as a sync event we look for as sure fire events.
Solution 2:
Simple Solution:
- Open the event or events for which you wish to create a custom view.
- Move the window somewhere that will be visible (one side of the screen, second monitor, or print it)
- Create new view and define using the opened event parameters (eg: User, Keywords, Computer, etc....) In this case, user was N/A so I just used the Computer and event ID (4648, not 4624)
- After modifying parameters as needed, save.
This method is useful for any event or set of events you wish to log. It does not require complex tasks or third party software.