[windows] Eventviewer eventid for lock and unlock

What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008?

This question is related to windows event-viewer

The answer is


The event IDs to look for in pre-Vista Windows are 528, 538, and 680. 528 usually stands for successful unlock of workstation.

The codes for newer Windows versions differ, see below answers for more infos.


Using Windows 10 Home edition. I was unable to get my event viewer to capture events 4800 and 4801, even after installing the Windows Group Policy Editor, enabling auditing on all the relevant events, and restarting the computer. However, I was able to discover other events that are tied to locking and unlocking that you can use as accurate and reliable indicators of when the PC was locked. See configurations below - the first is for PC Locked (the event connected to displaying C:\Windows\System32\LogonUI.exe) - and the second is for PC Unlocked (the event for successful logon).

enter image description here

enter image description here


The lock event ID is 4800, and the unlock is 4801. You can find them in the Security logs. You probably have to activate their auditing using Local Security Policy (secpol.msc, Local Security Settings in Windows XP) -> Local Policies -> Audit Policy. For Windows 10 see the picture below.

Look in Description of security events in Windows 7 and in Windows Server 2008 R2 under Subcategory: Other Logon/Logoff Events.

Other Logon/Logoff Events in Windows 10


To identify unlock screen I believe that you can use ID 4624. But then you also need to look at the Logon Type which in this case is 7: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624

Event ID for Logoff is 4634


Security Settings -> Advanced Audit Policy -> System Audit -> Logon/Logoff -> Audit Other Logon/Off Events -> On Success

Enables the following:

4800 - workstation locked
4801 - workstation unlocked
4802 - screensaver invoke
4803 - screensaver dismissed

Windows 10 professional


Unfortunately there is no such a thing as Lock/Unlock. What you have to do is:

  1. Click on "Filter Current Log..."
  2. Select the XML tab and click on "Edit query manually"
  3. Enter the below query:

    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">
        *[EventData[Data[@Name='LogonType']='7']
         and
         (System[(EventID='4634')] or System[(EventID='4624')])
         ]</Select>
      </Query>
    </QueryList>
    

That's it


For Windows 10 the event ID for lock=4800 and unlock=4801.

As it says in the answer provided by Mario and User 00000, you will need to enable logging of lock and unlock events by using their method described above by running gpedit.msc and navigating to the branch they indicated:

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy Object -> Logon/Logoff -> Audit Other Login/Logoff

Enable for both success and failure events.

After enabling logging of those events you can filter for Event ID 4800 and 4801 directly.

This method works for Windows 10 as I just used it to filter my security logs after locking and unlocking my computer.


For newer versions of Windows (including but not limited to both Windows 10 and Windows Server 2016), the event IDs are:

  • 4800 - The workstation was locked.
  • 4801 - The workstation was unlocked.

Locking and unlocking a workstation also involve the following logon and logoff events:

  • 4624 - An account was successfully logged on.
  • 4634 - An account was logged off.
  • 4648 - A logon was attempted using explicit credentials.

When using a Terminal Services session, locking and unlocking may also involve the following events if the session is disconnected, and event 4778 may replace event 4801:

  • 4779 - A session was disconnected from a Window Station.
  • 4778 - A session was reconnected to a Window Station.

Events 4800 and 4801 are not audited by default, and must be enabled using either Local Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).

The path for the policy using Local Group Policy Editor is:

  • Local Computer Policy
  • Computer Configuration
  • Windows Settings
  • Security Settings
  • Advanced Audit Policy Configuration
  • System Audit Policies - Local Group Policy Object
  • Logon/Logoff
  • Audit Other Logon/Logoff Events

The path for the policy using Local Security Policy is the following subset of the path for Local Group Policy Editor:

  • Security Settings
  • Advanced Audit Policy Configuration
  • System Audit Policies - Local Group Policy Object
  • Logon/Logoff
  • Audit Other Logon/Logoff Events

You will need to enable logging of these events. Do so by opening the group policy editor:

run -> gpedit.msc

and configuring the following category:

Computer Configuration ->
Windows Settings ->
Security Settings ->
Advanced Audit Policy Configuration ->
System Audit Policies - Local Group Policy Object ->
Logon/Logoff ->
Audit Other Login/Logoff Events

(In the Explain tab it says "... allows you to audit ... Locking and unlocking a workstation".)