6

Here are two common ways users can be logged off of Windows:

  • Manual: The user logs off manually
  • Automated: The windows system logs off the user automatically via some mechanism

Is there any way to determine (based on a stock Windows install, with no special software installed) the method of the logoff? i.e. which of these two methods (Manual/Auto) for logoff were utilized?

Giacomo1968
  • 58,727
George 2.0 Hope
  • 684

1 Answers1

14

When a user invokes a log off/sign out (manual) action, this is logged to the Security event log as Event ID 4647. Automatic log off (session timeout) will be logged to the event log as Event ID 4634.

To review the events in the event log, perform these actions

  1. Load eventvwr from Start > Run
  2. Click on Security under the Windows Logs
  3. Click Filter Current Log on the right-hand actions menu
  4. Enter 4634,4647 in the field under Includes/Excludes Event IDs:

enter image description here

Click OK, and you'll see a list of events related to the chosen event ID's.

If you don't see anything, then either your event log has been purged, or the event is too old and you need to change how much data the event viewer stores.

A comprehensive list of event ID's can be found here.

spikey_richie
  • 9,575