2

(for background, see: In Windows 7, How to query times, when the computer was locked?)

It seems that there are two entirely separate events that may be generated in the windows event log when a machine is locked / unlocked:

  • 4800 & 4801 - require a group policy setting to enable them
  • 4624 & 4634 (with login type set to 7) - always enabled (?)

I presume these events aren't exact duplicates of each other, so presumably there's a subtle semantic difference between them that I've missed. What is this difference? What situations (other than the logging being disabled) might cause one to be logged without the other?

Improve this question

1 Answer 1

Reset to default
3

What is the difference between windows events 4801 and 4624?

  • Event ID 4624 is generated when an account successfully logs on.
  • Event ID 4801 is generated when the workstation is unlocked.
  • You get both of these events when a user unlocks the workstation.

If a user locks the workstation and then immediately unlocks the workstation the following events are logged (read from the bottom up in the image):

enter image description here

  • 4800 The workstation was locked
  • 4648 A logon was attempted using explicit credentials
  • 4624 An account was successfully logged on
  • 4672 Special privileges assigned to new logon
  • 4801 The workstation was unlocked

4801: The workstation was unlocked

  • When a user unlocks his workstation you will see this event.

  • To find out when the workstation was previously locked look backwards in time for for event ID 4800.

  • If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed).

  • For Interactive logons you may see this event or 4803.

Source 4801: The workstation was unlocked

4624: An account was successfully logged on

  • This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
  • You can tie this event to logoff events 4634 and 4647 using Logon ID.

Source 4624: An account was successfully logged on

Further Reading

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .