Windows 7: What is the event ID for a lock event and how to tell if it is user-initiated or not?

windows-7 windows event-viewer
17,240

What is the event ID for a lock event and how to tell if it is user-initiated or not?

If a user locks the workstation and then immediately unlocks the workstation the following events are logged (read from the bottom up in the image):

enter image description here

  • 4800 The workstation was locked
  • 4648 A logon was attempted using explicit credentials
  • 4624 An account was successfully logged on
  • 4672 Special privileges assigned to new logon
  • 4801 The workstation was unlocked

4800: The workstation was locked

  • When either a user manually locks his workstation or the workstation automatically locks its console after a period of inactivity this event is logged.
  • To find out when the user returned and unlocked the workstation look for event ID 4801.
  • If a screen saver is used, there is a relationship between this event and 4802/4803 See event ID 4802 for an explanation of the sequence of events.

Description Fields

The user and logon session involved.

  • Security ID: The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Source 4800: The workstation was locked

4801: The workstation was unlocked

  • When a user unlocks his workstation you will see this event.

  • To find out when the workstation was previously locked look backwards in time for for event ID 4800.

  • If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed).

  • For Interactive logons you may see this event or 4803.

Source 4801: The workstation was unlocked

4624: An account was successfully logged on

  • This is a highly valuable event since it documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account.
  • You can tie this event to logoff events 4634 and 4647 using Logon ID.

Source 4624: An account was successfully logged on

What is the difference between windows events 4801 and 4624?

  • Event ID 4624 is generated when an account successfully logs on.
  • Event ID 4801 is generated when the workstation is unlocked.
  • You get both of these events when a user unlocks the workstation.

Further Reading

Share:
17,240

Related videos on Youtube

Jordan Jamingsons
Author by

Jordan Jamingsons

Updated on September 18, 2022

Comments

  • Jordan Jamingsons
    Jordan Jamingsons almost 2 years

    The following eventvwr.exe event relates to a screen unlock event:

    Event ID 4624 (access type: 7) (screen unlock)

    Now I need to find the screen lock event, so I can compare the time between when I left the apartment and when the screen locked. If the difference is more than what is set as the screen lock time in the control panel, I will know someone logged on while I was away. Thanks.

    NOTE:

    I'm confused because this post tells another story.

  • Jordan Jamingsons
    Jordan Jamingsons over 8 years
    Then what is the difference between Event ID 4624 (access type: 7) and Event ID 4801: The workstation was unlocked?
  • DavidPostill
    DavidPostill over 8 years
    You see both. Look at the sequence of events at the start of my answer.
  • DavidPostill
    DavidPostill over 8 years
    You have to logon before the workstation unlock is generated. For example, if you give the wrong password the logon will fail and the workstation will not unlock.
  • Jordan Jamingsons
    Jordan Jamingsons over 8 years
    Yeah, I'm just not getting events 4800 and 4801 on my version of Windows.
  • DavidPostill
    DavidPostill over 8 years
    The wrong password will generate 4625: An account failed to log on
  • Jordan Jamingsons
    Jordan Jamingsons over 8 years
    I don't think my intruders would be too stupid to try that, it's just that I don't know where else to look to see if there were any accesses betwen 12>35 and 14:37.
  • DavidPostill
    DavidPostill over 8 years
    Did you try my suggestion "Were you logged in as an Adminstrator when you tried to copy the directories? Can you try just copy the contents of C:\SysWOW64\GroupPolicy and paste to C:\Windows\System32\GroupPolicy? Note C:\SysWOW64\GroupPolicyUser is an empty directory so that shouldn't be a problem"? from Windows 7 (Home Premium): eventvwr.exe: How to log workstation locking and unlocking and screensaver invoked and dismissed events
  • Jordan Jamingsons
    Jordan Jamingsons over 8 years
    Tried your suggestion with no luck.
  • DavidPostill
    DavidPostill over 8 years
    See my answer Restrict device installation using Registry Editor against BadUSB, there a batch file that might work for you. You have to modify the batch file as per the instructions.
  • DavidPostill
    DavidPostill over 8 years
    So your "intruders" know the password? Why don't you just change the password? Or lock the screen before you leave?
  • Jordan Jamingsons
    Jordan Jamingsons over 8 years
    Because 1. it's too late, and 2. I forgot to lock the screen today.
  • DavidPostill
    DavidPostill over 8 years
    Aaah........ :(
  • DavidPostill
    DavidPostill over 8 years
    I think without 4800 and 4801you are out of luck.
  • Jordan Jamingsons
    Jordan Jamingsons over 8 years
    I hate Windows for this. And I hate Firefox for displaying all the passwords at one click. And I hate Google Drive for not logging the date and time of read-only accesses.
  • DavidPostill
    DavidPostill over 8 years
    Firefox - use a master password. Google Drive - encrypt it with boxcryptor.com/en/google-drive

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Time when Windows 7 was started/booted
Is it possible to configure a virtual network interface on Windows7?
Multiple Workspaces in Windows with Two Monitors
How To Automatically Logon To Windows 7 using a Password
How to use Robocopy to copy files with TimeStamp in command line
How do I set Windows Environment variables permanently?
Cannot login to SQL Server 2008, in Windows 7 x64
Tomcat 7 as windows service not accessible from other systems
Copying a file remotely from Ubuntu to Windows 7
Basic windows commands (ping, ipconfig) need admin rights - looking for an option