Eventviewer eventid for lock and unlock

Question

What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008?

Answer 1

To identify unlock screen I believe that you can use ID 4624. But then you also need to look at the Logon Type which in this case is 7: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624

Event ID for Logoff is 4634

Answer 2

Unfortunately there is no such a thing as Lock/Unlock. What you have to do is:

1. Click on "Filter Current Log..."
2. Select the XML tab and click on "Edit query manually"

3. Enter the below query:

   <QueryList>
     <Query Id="0" Path="Security">
       <Select Path="Security">
       *[EventData[Data[@Name='LogonType']='7']
        and
        (System[(EventID='4634')] or System[(EventID='4624')])
        ]</Select>
     </Query>
   </QueryList>
   

That's it

Answer 3

The lock event ID is 4800, and the unlock is 4801. You can find them in the Security logs. You probably have to activate their auditing using Local Security Policy (secpol.msc, Local Security Settings in Windows XP) -> Local Policies -> Audit Policy. For Windows 10 see the picture below.

Look in Description of security events in Windows 7 and in Windows Server 2008 R2 under Subcategory: Other Logon/Logoff Events.

Answer 4

Using Windows 10 Home edition. I was unable to get my event viewer to capture events 4800 and 4801, even after installing the Windows Group Policy Editor, enabling auditing on all the relevant events, and restarting the computer. However, I was able to discover other events that are tied to locking and unlocking that you can use as accurate and reliable indicators of when the PC was locked. See configurations below - the first is for PC Locked (the event connected to displaying C:\Windows\System32\LogonUI.exe) - and the second is for PC Unlocked (the event for successful logon).

Answer 5

Security Settings -> Advanced Audit Policy -> System Audit -> Logon/Logoff -> Audit Other Logon/Off Events -> On Success

Enables the following:

4800 - workstation locked
4801 - workstation unlocked
4802 - screensaver invoke
4803 - screensaver dismissed

Windows 10 professional

Answer 6

For newer versions of Windows (including but not limited to both Windows 10 and Windows Server 2016), the event IDs are:

• 4800 - The workstation was locked.
• 4801 - The workstation was unlocked.

Locking and unlocking a workstation also involve the following logon and logoff events:

• 4624 - An account was successfully logged on.
• 4634 - An account was logged off.
• 4648 - A logon was attempted using explicit credentials.

When using a Terminal Services session, locking and unlocking may also involve the following events if the session is disconnected, and event 4778 may replace event 4801:

• 4779 - A session was disconnected from a Window Station.
• 4778 - A session was reconnected to a Window Station.

Events 4800 and 4801 are not audited by default, and must be enabled using either Local Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).

The path for the policy using Local Group Policy Editor is:

• Local Computer Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Advanced Audit Policy Configuration
• System Audit Policies - Local Group Policy Object
• Logon/Logoff
• Audit Other Logon/Logoff Events

The path for the policy using Local Security Policy is the following subset of the path for Local Group Policy Editor:

• Security Settings
• Advanced Audit Policy Configuration
• System Audit Policies - Local Group Policy Object
• Logon/Logoff
• Audit Other Logon/Logoff Events