{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 看我几分像从前 的问题《Eventviewer eventid for lock and unlock》','https://www.manongdao.com/q-108640.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008?
相关问题
- Inheritance impossible in Windows Runtime Componen
- how to get running process information in java?
- Is TWebBrowser dependant on IE version?
- How can I have a python script safely exit itself?
- I want to trace logs using a Macro multi parameter
相关文章
- 如何让cmd.exe 执行 UNICODE 文本格式的批处理?
- 怎么把Windows开机按钮通过修改注册表指向我自己的程序
- Warning : HTML 1300 Navigation occured?
- Bundling the Windows Mono runtime with an applicat
- Windows 8.1 How to fix this obsolete code?
- CosmosDB emulator can't start since port is al
- How to print to stdout from Python script with .py
- Determine if an executable (or library) is 32 -or
You will need to enable logging of these events. Do so by opening the group policy editor:
and configuring the following category:
(In the Explain tab it says "... allows you to audit ... Locking and unlocking a workstation".)
For Windows 10 the event ID for lock=4800 and unlock=4801.
As it says in the answer provided by Mario and User 00000, you will need to enable logging of lock and unlock events by using their method described above by running gpedit.msc and navigating to the branch they indicated:
Enable for both success and failure events.
After enabling logging of those events you can filter for Event ID 4800 and 4801 directly.
This method works for Windows 10 as I just used it to filter my security logs after locking and unlocking my computer.
Unfortunately there is no such a thing as Lock/Unlock. What you have to do is:
Enter the below query:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[EventData[Data[@Name='LogonType']='7'] and (System[(EventID='4634')] or System[(EventID='4624')]) ]</Select> </Query> </QueryList>That's it
Security Settings -> Advanced Audit Policy -> System Audit -> Logon/Logoff -> Audit Other Logon/Off Events -> On Success
Enables the following:
Windows 10 professional
To identify unlock screen I believe that you can use ID 4624. But then you also need to look at the Logon Type which in this case is 7: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
Event ID for Logoff is 4634
The event IDs to look for in pre-Vista Windows are 528, 538, and 680. 528 usually stands for successful unlock of workstation.
The codes for newer Windows versions differ, see below answers for more infos.