Argthtjtr

I am trying to filter out from the Security Event Log, those logs which correspond to the user (me) logging in by typing out password on the keyboard. I would like it to detect unlocking the screen as well as logging in after turning the PC on.

I believe the Event ID responsible for this is 4624.

My issue is that there is a multitude of those Event IDs created each time a login occurs.

To filter this out I chech in the XML of all 4624 Event IDs for:

1. If "LogonType" == 2, number two type is assigned to interactive keyboard/screen logon.




2. If "TargetUsername" == Myusername, this removes all the logon events initiated by other services.




3. If "LogonGuid" != "00000000-0000-0000-0000-000000000000", this removes redundant copies of login event which also have my name as "TargetUsername" and happen within a few miliseconds of a login with GUID ID that is non-zero.

I am not sure whether this is the correct aproach as using it it seems to miss login event after bootup. None of the events around the time I logged in first time after shut down have all three conditions satisfied.

Today around 9:30 there was an array of 4624 events, but none that would fit my criteria. Below is my log in/out extract, there are two consecutive logout events with no log in inbetween them. I did login around 9:30 though.

Log in:   12-10T13:45:09.92629

Log out:  12-10T13:06:44.29530

Log in:   12-10T09:59:15.51808

Log out:  12-10T09:48:59.63086 <--

Log out:  12-07T17:36:59.08875 <--

Log in:   12-07T15:12:21.93870

Log out:  12-07T15:10:52.82871

Log in:   12-07T14:05:37.53658

Log out:  12-07T13:57:03.61220

Log in:   12-07T13:35:47.04114

Log out:  12-07T13:35:33.83213

Log in:   12-07T13:19:58.33986

Log out:  12-07T13:19:49.87156

Log in:   12-07T12:54:40.80056

Log out:  12-07T12:15:52.70091

Log in:   12-07T09:50:54.37527

Log out:  12-07T09:33:20.24622

Log in:   12-07T09:32:22.36908

Log out:  12-06T17:10:28.06655

Log in:   12-06T16:37:02.14689

Log out:  12-06T16:26:36.92315

Log in:   12-06T12:58:48.43339

Log out:  12-06T12:04:33.35497

There is an event with LogonType of value 2, but it it's TargetUserName is UMFD-0, at the same time there is another event with correct username (mne) as the TargetUserName but the LogonType is 11.

I have restarted and tried finding it again and this time there was an event that satisfied those three filters. I am not sure if this was one off or more likely my understanding is way off.

How do I structure my script to find times I have logged in from keyboard using Windows Event IDs?

Thanks!

It seems my filtering approach is only partially correct, as not every keyboard login manifests itself in the Event Viewer as Event 4624 of type 2. Below is a table of Logon Types along with their description, table sourced from ultimatewindowssecurity.

Logon                       Description

Type     

-----------------------------------------------------------------------------------------------------

2    Interactive (logon at keyboard and screen of system)

3    Network (i.e. connection to shared folder on this computer from elsewhere on network)

4    Batch (i.e. scheduled task)

5    Service (Service startup)

7    Unlock (i.e. unnattended workstation with password protected screen saver)

8    NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates 

     a logon to IIS with "basic authentication") 

9    NewCredentials such as with RunAs or mapping a network drive with alternate credentials.  

     This logon type does not seem to show up in any events.  If you want to track users attempting 

     to logon with alternate credentials see 4648.  MS says "A caller cloned its  current token and 

     specified new credentials for outbound connections. The new logon session has  the same local 

     identity, but uses different credentials for other network connections."

10   RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)

11   CachedInteractive (logon with cached domain credentials such as 

     when logging on to a laptop when away from the network)

Exact definition of an interactive login is still a bit fuzzy to me as I find conflicting definitions, but types 10 and 11 have Interactive in their description. Type 11 occurs when I login to my work station while not connected to the network.

Adding that event and type to the filter has allowed me to fish out all of the login events.