0

The following eventvwr.exe event relates to a screen unlock event:

Event ID 4624 (access type: 7) (screen unlock)

Now I need to find the screen lock event, so I can compare the time between when I left the apartment and when the screen locked. If the difference is more than what is set as the screen lock time in the control panel, I will know someone logged on while I was away. Thanks.

NOTE:

I'm confused because this post tells another story.

Community
  • 1
Jordan Jamingsons
  • 169

1 Answers1

3

What is the event ID for a lock event and how to tell if it is user-initiated or not?

If a user locks the workstation and then immediately unlocks the workstation the following events are logged (read from the bottom up in the image):

enter image description here

  • 4800 The workstation was locked
  • 4648 A logon was attempted using explicit credentials
  • 4624 An account was successfully logged on
  • 4672 Special privileges assigned to new logon
  • 4801 The workstation was unlocked

4800: The workstation was locked

  • When either a user manually locks his workstation or the workstation automatically locks its console after a period of inactivity this event is logged.
  • To find out when the user returned and unlocked the workstation look for event ID 4801.
  • If a screen saver is used, there is a relationship between this event and 4802/4803 See event ID 4802 for an explanation of the sequence of events.

Description Fields

The user and logon session involved.

  • Security ID: The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Source 4800: The workstation was locked

4801: The workstation was unlocked

  • When a user unlocks his workstation you will see this event.

  • To find out when the workstation was previously locked look backwards in time for for event ID 4800.

  • If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed).

  • For Interactive logons you may see this event or 4803.

Source 4801: The workstation was unlocked

4624: An account was successfully logged on

  • This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
  • You can tie this event to logoff events 4634 and 4647 using Logon ID.

Source 4624: An account was successfully logged on

What is the difference between windows events 4801 and 4624?

  • Event ID 4624 is generated when an account successfully logs on.
  • Event ID 4801 is generated when the workstation is unlocked.
  • You get both of these events when a user unlocks the workstation.

Further Reading

DavidPostill
  • 162,382