Eventviewer eventid for lock and unlock

Question

What is the event id in Event Viewer for lock  unlock for a computer in Windows nbsp XP  Windows nbsp 7  Windows nbsp Vista and Windows Server 2008

User · Accepted Answer

The event IDs to look for in pre-Vista Windows are 528, 538, and 680. 528 usually stands for successful unlock of workstation.

The codes for newer Windows versions differ, see below answers for more infos.

User · Answer

You will need to enable logging of these events  Do so by opening the group policy editor      run -  gpedit msc   and configuring the following category        Computer Configuration -    Windows Settings -    Security Settings -    Advanced Audit Policy Configuration -    System Audit Policies - Local Group Policy Object -    Logon Logoff -    Audit Other Login Logoff Events    In the Explain tab it says      allows you to audit     Locking and unlocking a workstation

User · Answer

The lock event ID is 4800  and the unlock is 4801  You can find them in the Security logs  You probably have to activate their auditing using Local Security Policy  secpol msc  Local Security Settings in Windows XP  -  Local Policies -  Audit Policy  For Windows 10 see the picture below   Look in Description of security events in Windows 7 and in Windows Server 2008 R2 under Subcategory  Other Logon Logoff Events

User · Answer

For newer versions of Windows  including but not limited to both Windows 10 and Windows Server 2016   the event IDs are    4800 - The workstation was locked  4801 - The workstation was unlocked    Locking and unlocking a workstation also involve the following logon and logoff events    4624 - An account was successfully logged on  4634 - An account was logged off   4648 - A logon was attempted using explicit credentials    When using a Terminal Services session  locking and unlocking may also involve the following events if the session is disconnected  and event 4778 may replace event 4801    4779 - A session was disconnected from a Window Station  4778 - A session was reconnected to a Window Station    Events 4800 and 4801 are not audited by default  and must be enabled using either Local Group Policy Editor  gpedit msc  or Local Security Policy  secpol msc    The path for the policy using Local Group Policy Editor is    Local Computer Policy Computer Configuration Windows Settings Security Settings Advanced Audit Policy Configuration System Audit Policies - Local Group Policy Object Logon Logoff Audit Other Logon Logoff Events   The path for the policy using Local Security Policy is the following subset of the path for Local Group Policy Editor    Security Settings Advanced Audit Policy Configuration System Audit Policies - Local Group Policy Object Logon Logoff Audit Other Logon Logoff Events

User · Answer

Using Windows 10 Home edition   I was unable to get my event viewer to capture events 4800 and 4801  even after installing the Windows Group Policy Editor  enabling auditing on all the relevant events  and restarting the computer   However  I was able to discover other events that are tied to locking and unlocking that you can use as accurate and reliable indicators of when the PC was locked   See configurations below - the first is for PC Locked  the event connected to displaying C  Windows System32 LogonUI exe  - and the second is for PC Unlocked  the event for successful logon

User · Answer

To identify unlock screen I believe that you can use ID 4624  But then you also need to look at the Logon Type which in this case is 7  http   www ultimatewindowssecurity com securitylog encyclopedia event aspx eventid 4624  Event ID for Logoff is 4634

User · Answer

Unfortunately there is no such a thing as Lock Unlock  What you have to do is    Click on  Filter Current Log     Select the XML tab and click on  Edit query manually  Enter the below query     lt QueryList gt     lt Query Id  0  Path  Security        lt Select Path  Security         EventData Data  Name  LogonType    7        and       System  EventID  4634    or System  EventID  4624            lt  Select     lt  Query   lt  QueryList     That s it

User · Answer

Security Settings -  Advanced Audit Policy -  System Audit -  Logon Logoff -  Audit Other Logon Off Events -  On Success  Enables the following   4800 - workstation locked 4801 - workstation unlocked 4802 - screensaver invoke 4803 - screensaver dismissed   Windows 10 professional

User · Answer

For Windows 10 the event ID for lock 4800 and unlock 4801    As it says in the answer provided by Mario and User 00000  you will need to enable logging of lock and unlock events by using their method described above by running gpedit msc and navigating to the branch they indicated      Computer Configuration -     Windows Settings -     Security Settings -    Advanced Audit Policy Configuration -     System Audit Policies - Local Group Policy Object -     Logon Logoff -     Audit Other Login Logoff    Enable for both success and failure events   After enabling logging of those events you can filter for Event ID 4800 and 4801 directly   This method works for Windows 10 as I just used it to filter my security logs after locking and unlocking my computer

[windows] Eventviewer eventid for lock and unlock

Examples related to windows

Examples related to event-viewer