When investigating various incidents, the administrator needs to obtain information about who and when accessed a particular Windows computer. The history of user logons in the domain network can be obtained from the logs of domain controllers. But sometimes it's easier to get information directly from computer logs. In this article, we'll show you how to get and analyze user login history on a Windows computer/server. Such statistics will help you answer the question “How to check who and when used this computer in Windows”.
Configuring the Windows User Login Audit Policy.
You must first enable the user login audit policy. On a standalone computer, use the gpedit.msc snap -in to configure local group policy settings. If you want to enable the policy for computers in an Active Directory domain, you must use the domain GPO editor ( gpmc.msc ).
- Launch the GPMC console, create a new GPO and assign it to the Organizational Units (OU) with the computers and/or servers for which you want to enable the login event audit policy;
- Open the GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff;
- Enable the two audit policies Audit Logon and Audit Logoff . This will allow you to track both user login and logout events. If you want to track only successful login events, enable only the Success option in the policy settings;
The same section includes a policy for auditing account blocking events, changes to Active Directory groups, etc.
Close the GPO editor and update the policy settings on the clients.
Searching for User Login Events in the Windows Event Log
After you enable logon audit policies, each time a user logs on to Windows, a logon entry will appear in the Event Viewer log. Let's see what she looks like.
- Open the Event Viewer ( eventvwr.msc );
- Expand the Windows Logs section and select the Security log ;
- Right-click on it and select Filter Current Log ;
- Enter event ID 4624 in the field and click OK;
- In the event window, only user login events, system services with a description will remain An account was successfully logged on;
- The event description contains the name and domain of the logged in user:
New Logon:
Security ID: WINITPRO\a.khramov
Account Name: a.khramov
Account Domain: WINITPRO
Other useful EventIDs are listed below:
event ID | Description
4624 | A successful account logon event
4625 | An account failed to log on
4648 | A logon was attempted using explicit credentials
4634 | An account was logged off
4647 | User initiated log off
If you look through the event log, you will notice that it contains not only user logon events on the computer. There will also be events of network access to this computer (when opening shared files over the network or printing to network printers), starting various services and tasks of the scheduler, etc. Those. a lot of extra events that do not relate to the local user login. To select only interactive user logon events on the computer console, you must additionally select by the value of the Logon Type parameter. The table below lists the Logon Type codes.
Code Logon Type | Description
0 | System
2 | interactive
3 | network
four | Batch
5 | Service
6 | proxy
7 | Unlock
eight | NetworkCleartext
9 | New Credentials
ten | Remote Interactive
eleven | Cached Interactive
12 | CachedRemoteInteractive
13 | Cached Unlock
When remotely connecting to the computer's desktop via RDP, entries with Logon Type 10 or 3 will appear in the event log.
According to this table, a local logon event for a user on a computer should contain Logon Type: 2.
This event ID appears when you automatically log on to Windows.
To filter the logon event by containing the Logon Type, it's best to use PowerShell.
Parsing Windows User Login Events with PowerShell.
Let's say our task is to get information about which users have logged into this computer recently. We are interested in interactive login events (via the console) with LogonType =2. We'll use the Get-WinEvent cmdlet to select an event from the Event Viewer logs.
The following PowerShell script will display the login history of users on the current computer and present it as a graphical Out-GridView table.
$query = @'
<QueryList>
<Query Id='0' Path='Security'>
<Select Path='Security'>
*[System[EventID='4624']
and(
EventData[Data[@Name='VirtualAccount']='%%1843']
and
EventData[Data[@Name='LogonType']='2']
)
]
</Select>
</Query>
</QueryList>
'@
$properties = @(
@{n='User';e={$_.Properties[5].Value}},
@{n='Domain';e={$_.Properties[6].Value}},
@{n='TimeStamp';e={$_.TimeCreated}}
@{n='LogonType';e={$_.Properties[8].Value}}
)
Get-WinEvent -FilterXml $query | Select-Object $properties|Out-GridView
If you want to select login events from the last few days, you can add a pipe with the following condition:
|Where-Object {$_.TimeStamp -gt '5/10/22'}
The Get-WinEvent cmdlet allows you to get information from remote computers. For example, to get the login history from two computers, run the following script:
'msk-comp1', 'msk-comp2' |
ForEach-Object {
Get-WinEvent -ComputerName $_ -FilterXml $query | Select-Object $properties
}
If the RPC protocol is closed between computers, you can retrieve data from remote computers using the PowerShell Remoting cmdlet Invoke-Command:
Invoke-Command -ComputerName 'msk-comp1', 'msk-comp2' {Get-WinEvent -FilterXml $query | Select-Object $properties}