While investigating various events, an administrator needs to know who logged on to a particular Windows computer and when. You can obtain the history of user logons in the domain network from the domain controller logs. Nevertheless, it is sometimes easier to obtain information directly from the local computer’s event log. In this article, we will show how to receive and analyze user logon events on a computer/server running Windows. These statistics will help you answer the questions “How to see who has used a Windows computer and when?” and “How to check user logon history in Windows?”.
Enable User Logon Audit Policy in Windows
First enable the User Logon Audit Policy. To configure local Group Policy settings on a standalone computer, use the gpedit.msc snap-in. If you want to enable the policy for computers in an Active Directory domain, use the Domain GPO Editor (gpmc.msc,
- Open the Group Policy Management Console, create a new GPO, and assign it to the organizational units (OUs) with the computers and/or servers for which you want to enable the logon event audit policy;
- Open the GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff;
- Enable two audit policy options: audit logon And audit logoff, This will help in tracking both user logon and logoff events. If you want to track only successful logon attempts, check Success options in policy settings;
This same section includes policy settings for auditing account lockout events, changes to Active Directory groups, and more.
- Close GPO Editor and update the Group Policy settings on the client.
How to find user logon events in Windows Event Viewer?
After you enable logon audit policies, a logon event entry will appear in the Event Viewer log whenever a user logs on to Windows. Let’s see how it looks.
- Open Event Viewer (
eventvwr.msc, - Expand and select Windows Logs Security,
- right-click it and select Filter Current Log,
- Enter Event ID 4624 box and click OK.
- Only user and system service logon events will be displayed with details:
An account was successfully logged on. - Event details include the name and domain of the user who is logged on to the computer:
New Logon: Security ID: WOSHUB\a.muller Account Name: a.muller Account Domain: WOSHUB
Find some other useful event IDs below:
| event id | Description |
| 4624 | a successful account logon event |
| 4625 | failed to log on an account |
| 4648 | An attempt was made to logon using explicit credentials |
| 4634 | an account was logged off |
| 4647 | user-initiated logoff |
The filtered event log will not only contain local user login events. There are also events for network access to this computer (when you open shared files or use a shared printer), events for running various services and scheduled tasks, etc. In other words, there are too many events that are not related to a local user logon.
logon type The code can only be used to filter out interactive user login events to the computer console (local). The table below shows the logon type codes.
| logon type code | Description |
|---|---|
| 0 | System |
| 2 | interactive |
| 3 | network |
| 4 | batch |
| 5 | Service |
| 6 | Representative |
| 7 | unlock |
| 8 | networkcleartext |
| 9 | newcredentials |
| 10 | remote interactive |
| 11 | cached interactive |
| 12 | Cached Remote Interactive |
| 13 | cachedunlock |
According to this table, the logon type in a local user logon event should be: 2,
To filter logon events by logon type, it is better to use PowerShell.
Parsing User Logon Events with PowerShell
Let’s say your task is to find out which users have recently logged on to this computer. We are only interested in interactive logon events (using the computer console) LogonType =2, we will use Get-WinEvent Cmdlet to select events from the Event Viewer log.
The following PowerShell script displays the logon history of users on the current computer and presents it as a graphical out-grid view table.
$query = @'
<QueryList>
<Query Id='0' Path="Security">
<Select Path="Security">
*[System[EventID='4624']and(
EventData[Data[@Name="VirtualAccount"]='%%1843']and
EventData[Data[@Name="LogonType"]='2'])
]</Select>
</Query>
</QueryList>
'@
$properties = @(
@{n='User';e={$_.Properties[5].Value}},
@{n='Domain';e={$_.Properties[6].Value}},
@{n='TimeStamp';e={$_.TimeCreated}}
@{n='LogonType';e={$_.Properties[8].Value}}
)
Get-WinEvent -FilterXml $query | Select-Object $properties|Out-GridView
If you want to select the last few days of logon events, you can add a pipe with the following condition:
|Where-Object {$_.TimeStamp -gt '27/04/23'}
You can use the Get-WinEvent cmdlet to retrieve information from a remote computer. For example, to get user logon history from two remote computers, run this script:
'mun-rds1', 'mun-rds2' |
ForEach-Object {
Get-WinEvent -ComputerName $_ -FilterXml $query | Select-Object $properties
}
Invoke-Command -ComputerName 'mun-rds1', 'mun-rds2' {Get-WinEvent -FilterXml $query | Select-Object $properties}
Leave a Comment