How to Get User Logon Session Times from the Event Log


To figure out user session time, you’ll first need to enable three advanced audit policies; Audit Logoff, Audit Logon and Audit Other Logon/Logoff Events.

The combination of these three policies get you all of the typical logon/logoff events but also gets the workstation lock/unlock events and even RDP connect/disconnects. This ensures we get all of the session start/stop events.

When these policies are enabled in a GPO and applied to a set of computers, a few different event IDs will begin to be generated.  They are:

  • Logon – 4624 (Security event log)
  • Logoff – 4647 (Security event log)
  • Startup – 6005 (System event log)
  • RDP Session Reconnect – 4778 (Security event log)
  • RDP Session Disconnect – 4779 (Security event log)
  • Locked – 4800 (Security event log)
  • Unlocked – 4801 (Security event log)

You’ll notice the startup event. Why that one? The reason is because what if the computer’s power plug is pulled while a user is logged in? How will we know when that is. It’s not a perfect metric but it’s the only date/time we have to show when that happened.

Once we’ve got all of the IDs put together, we’ll then need to match the session start event with the very next session end event. But what if there are multiple users logging into a computer? To differentiate we can use the Logon ID field.  This is a unique field for each logon session. If we can find a session start time and then look up through the event log for the next session stop time with the same Logon ID we’ve found that user’s total session time.

In this instance, you can see that the LAB\Administrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. I then looked up through the event log at the subsequent messages until I found a session end event (ID 4634) that showed up with the same Logon ID at 5:30PM on the same day. Knowing this Logon ID, I was then able to deduce that the LAB\Administrator account had been logged on for three minutes or so.

This was just a quick demonstration of actual logon/logoff scenarios. You’ll find that when you review a computer in the “real world” you can’t always depend on logon/logoff events if you’d like to find user session durations. Multiple scenarios may come into play such as when a user locks her computer and comes back to unlock it. Perhaps she may lock her computer and the power gets cut. There will be no unlock event; only a startup event. These are the gotchas you need to watch out for to be able to accurately calculate user session history.

参考博文:

Logon Session Times的更多相关文章

  1. IIS导入.pfx证书时报错:"A specified logon session does not exist. It may already have been terminated."

    在IIS中可以直接导入.pfx文件来给站点绑定https协议: 如果在导入.pfx文件时,不选择"Allow this certificate to be exported"的话 ...

  2. C#穿透session隔离———Windows服务启动UI交互程序

    在Windows服务里面启动其他具有界面的应用程序,需要穿透session隔离,尝试了很多种方法,都可行,现在一一列举下来,并写下几个需要注意的地方. 需要注意的地方 首先要将服务的Account属性 ...

  3. Audit logon events&Logon type

    表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...

  4. System Error Codes

    很明显,以下的文字来自微软MSDN 链接http://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx M ...

  5. 浅析Windows安全相关的一些概念

    Session 我们平常所说的Session是指一次终端登录, 这里的终端登录是指要有自己的显示器和鼠标键盘等, 它包括本地登录和远程登录.在XP时代每次终端登录才会创建一个Session,但是在Vi ...

  6. Windows Directory ACL Security Check By ACL Baseline

    catalog . Windows NTFS ACL(MAC) Permission . How the System Uses ACLs . 服务器不安全ACL配置带来的攻击向量 . NTFS AC ...

  7. IE下Debug BHO

    主要就是修改注册表键值使IE不创建多个进程:HKLM\Software\Microsoft\Internet Explorer\Main - TabProcGrowth 但需要注意的是这种情况下,vs ...

  8. windows命令行及批处理文件小结

    1.命令Shell概述(Command shell overview): The command shell is a separate software program that provides ...

  9. Windows 错误代码

    Error Messages for Windows http://www.gregorybraun.com/MSWINERR.ZIP Server 4.0 Error Messages   Code ...

随机推荐

  1. Rabbitmq消息队列(三) 工作队列

    1.简介 默认来说,RabbitMQ会按顺序得把消息发送给每个消费者(consumer).平均每个消费者都会收到同等数量得消息.这种发送消息得方式叫做——轮询(round-robin). 工作队列(又 ...

  2. js中formData的使用

    FormData 对象的使用 https://developer.mozilla.org/zh-CN/docs/Web/API/FormData/Using_FormData_Objects http ...

  3. Atitit.ui控件---下拉菜单选择控件的实现select html

    Atitit.ui控件---下拉菜单选择控件的实现select   html 1. 调用& model的实现 1 2. -----select.jsp------ 1 1. 调用& m ...

  4. atitit.破解 拦截 绕过 网站 手机 短信 验证码 之自动获取手机短信方式 attilax 总结

    atitit.破解  拦截 绕过 网站 手机 短信 验证码 之自动获取手机短信方式 attilax 总结 1. 自动获取手机短信方式的原理 1 2. 调用api 1 3. ----核心代码 2 4.  ...

  5. Git-查看远程分支、本地分支、创建分支

    1.查看本地分支 $ git branch * br-2.1.2.2 master 2.查看远程分支 $ git branch -r origin/HEAD -> origin/master o ...

  6. git三种模式及常用命令

    Git的三种重要模式,分别是已提交.已修改.已暂存. 已提交(committed):表示数据文件已经顺利提交到Git数据库中. 已修改(modified):表示数据文件已经被修改,但未被保存到Git数 ...

  7. maven项目编译:程序包com.sun.image.codec.jpeg不存在 这个类文件的位置在jre/lib/rt.jar

    转载:http://superich2008.iteye.com/blog/2047830 失败提示信息为:程序包com.sun.image.codec.jpeg不存在 这个类文件的位置在jre/li ...

  8. Uncaught TypeError: Cannot read property 'addEventListener'

    标签元素还没有创建就调用引用标签的脚本就会出现此问题 将脚本放置在脚本标签的后面就可以了

  9. Windows动态库的使用 part one

    二.动态库程序 这篇写得比较乱,看不懂的可以跳part 2,直接上图片的.   动态库的使用: 4.3.1 隐式链接 动态库的隐式连接,需要动态库的 动态库文件".dll" , 动 ...

  10. 关于如何防止PHP漏洞?

    踏入编程圈一年不到,之前写的文章一直放在个人博客上,以后我写的或整理的好的教程一定到园子里分享,只是园子里PHPer好像不怎么活跃,希望同行多多交流.这是我之前整理的一篇PHP漏洞文章! 漏洞无非这么 ...