How to Get User Logon Session Times from the Event Log

To figure out user session time, you’ll first need to enable three advanced audit policies; Audit Logoff, Audit Logon and Audit Other Logon/Logoff Events.

The combination of these three policies get you all of the typical logon/logoff events but also gets the workstation lock/unlock events and even RDP connect/disconnects. This ensures we get all of the session start/stop events.

When these policies are enabled in a GPO and applied to a set of computers, a few different event IDs will begin to be generated.  They are:

  • Logon – 4624 (Security event log)
  • Logoff – 4647 (Security event log)
  • Startup – 6005 (System event log)
  • RDP Session Reconnect – 4778 (Security event log)
  • RDP Session Disconnect – 4779 (Security event log)
  • Locked – 4800 (Security event log)
  • Unlocked – 4801 (Security event log)

You’ll notice the startup event. Why that one? The reason is because what if the computer’s power plug is pulled while a user is logged in? How will we know when that is. It’s not a perfect metric but it’s the only date/time we have to show when that happened.

Once we’ve got all of the IDs put together, we’ll then need to match the session start event with the very next session end event. But what if there are multiple users logging into a computer? To differentiate we can use the Logon ID field.  This is a unique field for each logon session. If we can find a session start time and then look up through the event log for the next session stop time with the same Logon ID we’ve found that user’s total session time.

In this instance, you can see that the LAB\Administrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. I then looked up through the event log at the subsequent messages until I found a session end event (ID 4634) that showed up with the same Logon ID at 5:30PM on the same day. Knowing this Logon ID, I was then able to deduce that the LAB\Administrator account had been logged on for three minutes or so.

This was just a quick demonstration of actual logon/logoff scenarios. You’ll find that when you review a computer in the “real world” you can’t always depend on logon/logoff events if you’d like to find user session durations. Multiple scenarios may come into play such as when a user locks her computer and comes back to unlock it. Perhaps she may lock her computer and the power gets cut. There will be no unlock event; only a startup event. These are the gotchas you need to watch out for to be able to accurately calculate user session history.

参考博文:

最新文章

  1. Android 解析XML文件和生成XML文件
  2. ubuntu_nfs搭建
  3. 零基础如何系统学习Java Web
  4. ado.net五大对象
  5. 加载ComboBox控件
  6. CXF支持 SOAP1.1 SOAP1.2协议
  7. centos55_oracle11gr2_install
  8. 转发 eclipse 取消javascript 验证
  9. C语言字节对齐
  10. Mac OS10.11更新ruby,gem,安装cocoapods
  11. eclipse安装lombok插件问题解决
  12. 前端要革命?看我在js里写SQL
  13. 【持续更新】JavaScript常见面试题整理
  14. (luogu P1383)高级打字机
  15. 使用Apache服务部署静态网站
  16. 环境变量配置的作用和区别:Path、Classpath、JAVA_HOME
  17. 【转】vector中erase()的使用注意事项
  18. MSP430入门准备
  19. commons-text StrBuilder字符串构建工具类例子
  20. webstorm安装教程

热门文章

  1. C#代码覆盖率 -vsinstr和OpenCover
  2. Android在非UI线程中更新UI的方法
  3. [gj]耶稣和撒旦的关系
  4. WebView中input file的解决方法
  5. python学习之platform模块
  6. CentOS 7下Java的SecureRandom种子初始化失败解决办法
  7. 跟着百度学PHP[17]-PHP扩展CURL的用法详解
  8. Scala学习笔记(一)编程基础
  9. 解决微信小程序中Date.parse()获取时间戳IOS不兼容的问题(IOS为NaN的问题)
  10. [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)