View successful and failed local logon attempts on Windows

While investigating various events, an administrator needs to know who logged on to a particular Windows computer and when. You can obtain the history of user logons in the domain network from the domain controller logs. Nevertheless, it is sometimes easier to obtain information directly from the local computer’s event log. In this article, we will show how to receive and analyze user logon events on a computer/server running Windows. These statistics will help you answer the questions “How to see who has used a Windows computer and when?” and “How to check user logon history in Windows?”.

Enable User Logon Audit Policy in Windows

First enable the User Logon Audit Policy. To configure local Group Policy settings on a standalone computer, use the gpedit.msc snap-in. If you want to enable the policy for computers in an Active Directory domain, use the Domain GPO Editor (gpmc.msc,

  1. Open the Group Policy Management Console, create a new GPO, and assign it to the organizational units (OUs) with the computers and/or servers for which you want to enable the logon event audit policy;
  2. Open the GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff;
  3. Enable two audit policy options: audit logon And audit logoff, This will help in tracking both user logon and logoff events. If you want to track only successful logon attempts, check Success options in policy settings;
    This same section includes policy settings for auditing account lockout events, changes to Active Directory groups, and more.

    Enable Audit Logon Events Policy in Windows

  4. Close GPO Editor and update the Group Policy settings on the client.

How to find user logon events in Windows Event Viewer?

After you enable logon audit policies, a logon event entry will appear in the Event Viewer log whenever a user logs on to Windows. Let’s see how it looks.

  1. Open Event Viewer (eventvwr.msc,
  2. Expand and select Windows Logs Security,
  3. right-click it and select Filter Current Log,
  4. Enter Event ID 4624 box and click OK. Filter logins by event ID in the event server
  5. Only user and system service logon events will be displayed with details: An account was successfully logged on.
  6. Event details include the name and domain of the user who is logged on to the computer:
    New Logon:
    Security ID: WOSHUB\a.muller
    Account Name: a.muller
    Account Domain: WOSHUB

View User Logon Events in Windows

Find some other useful event IDs below:

event id Description
4624 a successful account logon event
4625 failed to log on an account
4648 An attempt was made to logon using explicit credentials
4634 an account was logged off
4647 user-initiated logoff

The filtered event log will not only contain local user login events. There are also events for network access to this computer (when you open shared files or use a shared printer), events for running various services and scheduled tasks, etc. In other words, there are too many events that are not related to a local user logon.

logon type The code can only be used to filter out interactive user login events to the computer console (local). The table below shows the logon type codes.

logon type code Description
0 System
2 interactive
3 network
4 batch
5 Service
6 Representative
7 unlock
8 networkcleartext
9 newcredentials
10 remote interactive
11 cached interactive
12 Cached Remote Interactive
13 cachedunlock

According to this table, the logon type in a local user logon event should be: 2,

To filter logon events by logon type, it is better to use PowerShell.

Parsing User Logon Events with PowerShell

Let’s say your task is to find out which users have recently logged on to this computer. We are only interested in interactive logon events (using the computer console) LogonType =2, we will use Get-WinEvent Cmdlet to select events from the Event Viewer log.

The following PowerShell script displays the logon history of users on the current computer and presents it as a graphical out-grid view table.

$query = @'
<Query Id='0' Path="Security">
<Select Path="Security">
$properties = @(
Get-WinEvent -FilterXml $query | Select-Object $properties|Out-GridView

Get User Logon History Locally in Windows with PowerShell

If you want to select the last few days of logon events, you can add a pipe with the following condition:

|Where-Object {$_.TimeStamp -gt '27/04/23'}

You can use the Get-WinEvent cmdlet to retrieve information from a remote computer. For example, to get user logon history from two remote computers, run this script:

'mun-rds1', 'mun-rds2' |
ForEach-Object {
Get-WinEvent -ComputerName $_ -FilterXml $query | Select-Object $properties

If the RPC protocol is not allowed, you can use the Invoke-Command PowerShell cmdlet to receive data from the remote computer:

Invoke-Command -ComputerName 'mun-rds1', 'mun-rds2' {Get-WinEvent -FilterXml $query | Select-Object $properties}

Leave a Comment