Windows 7: What is the event ID for a lock event and how to tell if it is user-initiated or not?
What is the event ID for a lock event and how to tell if it is user-initiated or not?
If a user locks the workstation and then immediately unlocks the workstation the following events are logged (read from the bottom up in the image):
- 4800 The workstation was locked
- 4648 A logon was attempted using explicit credentials
- 4624 An account was successfully logged on
- 4672 Special privileges assigned to new logon
- 4801 The workstation was unlocked
4800: The workstation was locked
- When either a user manually locks his workstation or the workstation automatically locks its console after a period of inactivity this event is logged.
- To find out when the user returned and unlocked the workstation look for event ID 4801.
- If a screen saver is used, there is a relationship between this event and 4802/4803 See event ID 4802 for an explanation of the sequence of events.
Description Fields
The user and logon session involved.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Source 4800: The workstation was locked
4801: The workstation was unlocked
When a user unlocks his workstation you will see this event.
To find out when the workstation was previously locked look backwards in time for for event ID 4800.
If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed).
- For Interactive logons you may see this event or 4803.
Source 4801: The workstation was unlocked
4624: An account was successfully logged on
- This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
- You can tie this event to logoff events 4634 and 4647 using Logon ID.
Source 4624: An account was successfully logged on
What is the difference between windows events 4801 and 4624?
- Event ID 4624 is generated when an account successfully logs on.
- Event ID 4801 is generated when the workstation is unlocked.
- You get both of these events when a user unlocks the workstation.
Further Reading
Related videos on Youtube
Jordan Jamingsons
Updated on September 18, 2022Comments
-
Jordan Jamingsons almost 2 years
The following
eventvwr.exe
event relates to ascreen unlock event
:Event ID 4624 (access type: 7) (screen unlock)
Now I need to find the
screen lock event
, so I can compare the time between when I left the apartment and when the screen locked. If the difference is more than what is set as the screen lock time in the control panel, I will know someone logged on while I was away. Thanks.NOTE:
I'm confused because this post tells another story.
-
Jordan Jamingsons over 8 yearsThen what is the difference between Event ID 4624 (access type: 7) and Event ID 4801: The workstation was unlocked?
-
DavidPostill over 8 yearsYou see both. Look at the sequence of events at the start of my answer.
-
DavidPostill over 8 yearsYou have to logon before the workstation unlock is generated. For example, if you give the wrong password the logon will fail and the workstation will not unlock.
-
Jordan Jamingsons over 8 yearsYeah, I'm just not getting events 4800 and 4801 on my version of Windows.
-
DavidPostill over 8 yearsThe wrong password will generate
4625: An account failed to log on
-
Jordan Jamingsons over 8 yearsI don't think my intruders would be too stupid to try that, it's just that I don't know where else to look to see if there were any accesses betwen 12>35 and 14:37.
-
DavidPostill over 8 yearsDid you try my suggestion "Were you logged in as an Adminstrator when you tried to copy the directories? Can you try just copy the contents of C:\SysWOW64\GroupPolicy and paste to C:\Windows\System32\GroupPolicy? Note C:\SysWOW64\GroupPolicyUser is an empty directory so that shouldn't be a problem"? from Windows 7 (Home Premium): eventvwr.exe: How to log workstation locking and unlocking and screensaver invoked and dismissed events
-
Jordan Jamingsons over 8 yearsTried your suggestion with no luck.
-
DavidPostill over 8 yearsSee my answer Restrict device installation using Registry Editor against BadUSB, there a batch file that might work for you. You have to modify the batch file as per the instructions.
-
DavidPostill over 8 yearsSo your "intruders" know the password? Why don't you just change the password? Or lock the screen before you leave?
-
Jordan Jamingsons over 8 yearsBecause 1. it's too late, and 2. I forgot to lock the screen today.
-
DavidPostill over 8 yearsAaah........ :(
-
DavidPostill over 8 yearsI think without 4800 and 4801you are out of luck.
-
Jordan Jamingsons over 8 yearsI hate Windows for this. And I hate Firefox for displaying all the passwords at one click. And I hate Google Drive for not logging the date and time of read-only accesses.
-
DavidPostill over 8 yearsFirefox - use a master password. Google Drive - encrypt it with boxcryptor.com/en/google-drive