How can I use Event Viewer to confirm login times filtered by User?

Question

I'm required to log my start and finish times at work. Occasionally I forget to do this and had a bright idea that checking the Security events log would allow me to retrospectively ascertain my times.

Unfortunately, the logs are much bigger than I thought and take a while even to display in Event Viewer. Also, I tried filtering the logs by date and userid but so far this has yielded no results.

Assuming my idea is feasible, can anyone step-through what I'd need to do to retrieve the information I need?

UPDATE:

I followed @surfasb 's instructions and got the to point where I can see only the logins, however some of these are System-level (i.e. non-human) logins. I would like to see only my 'physical' logins (there would only be two or three such events on weekdays) and not all the other stuff.

I've tried putting my Windows username in the field as shown below using both domain\username and just username but this just filters out everything. Can you assist?

Answer 1

The default configuration makes it rather messy. This is because Windows also tracks anytime you have to login to network computers. It also tracks everytime your computer account, not the user account, creates a login session.

You should use the audit account logon option and not the audit logon option.

The events you are looking for will have your account's Fully Qualified Domain Name. For example, if you are not on a domain, the search text you are looking for is computer_name / account_name.

edit

Another idea is to create login and logoff scripts. Depending on your edition of Windows 7, you can use gpedit.msc to bring up the Group Policy Console.

Then you'll just need a batchfile that has the command logevent "My login/logoff event" -e 666. This event will show up in the Application Log

edit

This will be easier if you are not on a domain. If you go under Local Security / Local Policies / Security options, look for the "Force Audit..." option. I forgot the name of it. But disable it. That will make the Security logs less verbose, since a user logging in at the console, in some cases, share the same Event ID . Some Event IDs you want to look for:

• Event 4647 - this is when you hit the logoff, restart, shutdown button. Windows update restarting your computer also sometimes sets off this event :(
• Event 4648 - this is when a process(which includes the login screen) uses your explicit credentials, rather than say a token, to login. This includes the Runas command and a lot of times, backup programs.
• Event 4800 - When your workstation is locked, like pressing WIN + L
• Event 4801 - When your workstation is unlocked

Generally, you can get by using events 4647 and 4648. Unfortunately there isn't a sure fire method since there are a thousand things that happen when you login and logoff your computer.

For that it is worth, at work, we look for the login script to fire and at logoff, there are two programs as well as a sync event we look for as sure fire events.

Answer 2

Simple Solution:

1. Open the event or events for which you wish to create a custom view.
2. Move the window somewhere that will be visible (one side of the screen, second monitor, or print it)
3. Create new view and define using the opened event parameters (eg: User, Keywords, Computer, etc....) In this case, user was N/A so I just used the Computer and event ID (4648, not 4624)
4. After modifying parameters as needed, save.

This method is useful for any event or set of events you wish to log. It does not require complex tasks or third party software.

Answer 3

Try using the XML filter tab and specify the following:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[EventID=4672] 
     and EventData[Data[@Name='SubjectUserName'] = 'your_username']]
    </Select>
  </Query>
</QueryList>

Answer 4

I've had the same problem, and managed to solve it using these steps:

A: Install MyEventViewer (freeware) and open the events list in this program.

Unfortunately, I haven't found how to filter the events by description (and the description is where is login name stored) in MyEventViewer, but at least but it displays the description in the main table.

B: Export this table to log1.txt

C: Use some advanced text search program to extract login times for given user.

I used grep.

This is the format of exported events:

Log Type : Security

Event Type : Audit Success

Time : 10.12.2012 18:33:24

Event ID : 680

User Name : SYSTEM

Computer : YYY

Event Description : Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: XXX Source Workstation: YYY Error Code: 0x0

==================================================

==================================================

First extract all logon atempts by user XXX.

$ grep -B 4 "Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: XXX" log1.txt > log2.txt

This will filter the logon attempts by user XXX and print it to log2.txt. -B 4 grep option is needed because the info we're looking for (login time) is stored 4 lines above the line that contains the pattern we're looking for (username).

D: Extract login times from log2.txt

$ grep "Time" log2.txt > log3.txt

Now log3.txt lists all login times for given user:

Time : 10.12.2012 14:12:32

Time : 7.12.2012 16:20:46

Time : 5.12.2012 19:22:45

Time : 5.12.2012 18:57:55

Simpler solution probably exists but I've been unable to find it, so this had to do the trick for me.