So, I wanted to monitor a machine : when it’s powered on, powered off, when i log in, when i log off, when i lock my session and when i unlock it.
Using the EventLog Viewer, I can create personalized filters.
But some event aren’t loggued by default, including when I lock or unlock a session, be it directly or through the screensaver.
So first, I must activate thoses log.
If you’re lucky and have a professionnal/enterprise version (or higher) of windows, you can do it directly in
Group Policy
by going to
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy
and log success/failure for
Audit Logon
Audit Logoff
Audit Other Logon/Logoff Events
If you’re not lucky and have a home version (or similar), you can:
get the events with
wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true
activating them with
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
or through the registry:
psexec -s -i regedit
then go to
HKLM\SECURITY\Policy\PolAdtEv
and edit the hexadecimal data of the default key:
offsets 16, 18 and 24 should have "03" to log both success (&01) and failure(&02)
a reboot is necessary
Then, you can request against thoses events, using either WMI/WQL (thanks wbemtest/wmic), or XML filters/queries for the eventlog.
With the first choice, it’s not possible/pratical to make query for some specific attributes which are in array datatype, which WQL don’t support queries against.
With the second choice, you can do it easily.
Here’s my 3 filters:
1) startup / shutdown
<QueryList>
<Query Id="0" Path="System">
<Select Path="Security">*[System[(EventID=1100 or EventID=4608)]]</Select>
<Select Path="System">*[System[(Provider[(@Name!="SNMP" and @Name!="Microsoft-Windows-UserModePowerService")]) and (EventID=12 or EventID=13 or EventID=41 or EventID=1001 or EventID=6005 or EventID=6006 or EventID=6008 or EventID=6009)]]</Select>
</Query>
</QueryList>
2) lock / unlock
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4800 or EventID=4801 or EventID=4802 or EventID=4803)]]</Select>
</Query>
</QueryList>
3) login / logoff
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=528 or EventID=529 or EventID=538 or EventID=540 or EventID=551 or EventID=672 or EventID=680 or EventID=4624 or EventID=4625 or EventID=4634 or EventID=4647 or EventID=4648 or EventID=4672 or EventID=4768 or EventID=4776 or EventID=7001 or EventID=7002)] and EventData[(Data[@Name="TargetUserName"]="sebbu" or Data[@Name="TargetUserName"]="zsbe17fr@yahoo.fr")]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name="IpAddress"] = "-"]]</Suppress>
</Query>
</QueryList>
Yes, both the username and the email (for Microsoft Account) can be found, depending on the EventID.
Now I just have to click on the filtered view, and I only see the events I’m interested in.
Maybe I’ll make a GUI for it later.
Blog de Sebbu 
One reply on “EventLog”
for thoses interested, the WQL query I had for all 3 is:
SELECT EventCode, LogFile, Message, TimeGenerated FROM Win32_NTLogEvent WHERE
(LogFile=’Security’ and (eventcode=’4800′ or eventcode=’4801′ or eventcode=’4802′ or eventcode=’4803′))
OR (LogFile=’Security’ and (eventcode=’12’ or eventcode=’13’ or eventcode=’41’ or eventcode=’1100′ or eventcode=’4608′))
OR (LogFile=’System’ and (eventcode=’6005′ or eventcode=’6006′ or eventcode=’6008′ or eventcode=’6009′))
OR (LogFile=’Security’ and (eventcode=’528′ or eventcode=’529′ or eventcode=’538′ or eventcode=’540′ or eventcode=’551′ or eventcode=’672′ or eventcode=’680′ or eventcode=’4624′ or eventcode=’4625′ or eventcode=’4634′ or eventcode=’4647′ or eventcode=’4648′ or eventcode=’4672′ or eventcode=’4768′ or eventcode=’4776′ or eventcode=’7001′ or eventcode=’7002′))
but I still need to remove the event which have a « – » for IpAdress