I find it useful to know exactly when I lock and unlock my PC, but this often requires a change to user auditing in Group or Local Security Policy. It’s also useful to create a custom view in Event Viewer for those events because they’ll be overwritten too quickly in the Windows Security Log.
Before making any changes, check if you’re already logging lock and unlock events. Open Event Viewer (Start menu > Control Panel > Administrative Tools > Event Viewer) and navigate to the Security Log. You can either lock and unlock your screen, then refresh the Security log to see the events, or you can click on Filter Current Log in the Actions menu in the right-hand pane.
The event IDs are 4800: The workstation was locked, and 4801: The workstation was unlocked.
If you are already logging those events you’ll see them in the Security log, like in the image above. You can check this log whenever you need to know when someone locked or unlocked the local machine, but Security logs are overwritten fairly quickly. In some cases they’ll only be available for hours, or minutes. If you need longer retention you should create a custom view.
However, if you are not logging these events, you’ll need to edit policy.
If you are creating a new GPO to push to your domain workstations, do this:
Computer Configuration > Windows Settings-Security Settings > Advanced Audit Policies > Logon/Logoff-Audit > Other Logon/Logoff Events > Enable Success.
If you want to do this on your local workstation, edit the Local Security Policy editor. Mind that on a domain some options may be superseded by your domain administrator. To edit the Local Security Policy, do this:
- Win+R to open Run
- Type secpol.msc > OK
- (Or search for Local Security Policy from the Start Menu)
- In Local Security Policy navigate to Advanced Audit Policy Configuration > System Audit Policies > Logon/Logoff > Audit Other Logon/Logoff Events
- Checkmark ‘Configure the following audit events:’ and ‘Success’ > Click OK
To apply changes, update group policy. If you are joined to a domain, you’ll need to be able to contact your domain controller to apply even local policy changes, so remote workstations or laptops may need to connect to their corporate network via VPN or similar.
- Open a Command Prompt (Win+R > Type cmd > OK)
- Type:
- gpupdate /force | gpupdate /force
- Enter
- I like to pipe gpupdate into a second gpupdate to make sure it applies.
You can test this by locking and unlocking the workstation and looking in the Windows Security Log for events 4800 and 4801.
To create a custom view in Windows Event Viewer:
- Open Event Viewer
- Right-click on the Custom Views folder
- Under By log – Event logs: checkmark the Windows Logs > Security Log checkbox.
- In the field that says <all Event IDs>, enter
- 4800,4801
- You could also add additional Event IDs and sources during this step to minimize your custom views. I recommend 7001,7002,4800,4801,529,540,4647,4608,4609 and just selecting the Windows Logs box.
- 4800,4801
- Click OK.
- In the Save Filter to Custom View windows that pops up, give your custom view a Name. The Description is optional.
- In the ‘Select where to save the Custom view:’ box, Custom Views is automatically selected as the location of your custom view. Click OK if this is where you want to place your view.
- To place your view elsewhere select a different folder or click the New Folder button to create and name a new folder. Click OK to exit.
- To place your view elsewhere select a different folder or click the New Folder button to create and name a new folder. Click OK to exit.
- View your Custom view in Event Viewer.
Here are the descriptions for the additional events I recommend filtering for in this custom view:
7001 = Logon 7002 = Logoff 4800 = Lock 4801 = UnLock 529 = Logon Failure 540 = Successful Network Logon 4647 = User initiated logoff 4608 = Windows is starting up 4609 = Windows is shutting down