Audit user log on & log off on Windows systems

Twice  in the last month I’ve been requested to determin the usage history of a user for client sites.  Simply put, do you have a user that claims to worked a weekend or late night and you need to audit their history, or if someone is accessing items they should not.  You could scan through event viewer manually, use some commercial or freeware tool but installing third party software may not be allowed or secure.

Enter EventCombMT, a windows utility now part of the Account Lockout and Management Tools available from Microsoft.  As a stand alone tool you should have no problem with your company security administrator allowing usage, simply download, extract to a folder (temp or otherwise) and run.

So what can this handy little item do?  Well it will search the event logs of any server (or desktop) accessible via IP, FQDN or on the Domain.  You can specify time and date, handy for say looking for events over a weekend, keywords and event id(s).

Event ID(s) for tracking user logon and logoff:

512 / 4608 STARTUP
513 / 4609 SHUTDOWN
528 / 4624 LOGON
538 / 4634 LOGOFF
551 / 4647 BEGIN_LOGOFF
N/A / 4778 SESSION_RECONNECTED
N/A / 4779 SESSION_DISCONNECTED
N/A / 4800 WORKSTATION_LOCKED
* / 4801 WORKSTATION_UNLOCKED
N/A / 4802 SCREENSAVER_INVOKED
N/A / 4803 SCREENSAVER_DISMISSED

eventcombmt_logon_logoffLet’s take a usage example, we want to find out if johndoe was working this weekend and are going to search all the servers, and his desktop for Logon (4624) and Logoff (4364) events, (keep in mind things like screen locking and screensavers are different Event IDs).

It will scan all the event logs, and save anything that contains “johndoe” with eventid 4624 or 4634 and write it out to a logfile with the computer name.  Now instead of looking through thousands or millions of log files you have a nice set of audit logs containing exactly what you are looking for.  Play around with it, feel free to comment on how you use the tool or if you have a better, simpler, faster, whatever solution please let us know.

 

 

 

 

 

Article by Bizanator

I'm a security researcher, pentester and general IT guru professionally since 2003. While IT and security has been a habit of mine, literally learning my ABCs on an Apple IIe I have worked on virtually every operating system in the past 25 years. Learning about memory manipulation starting in the early Blizzard days I found an affinity in security and exploit development. My career has allowed me to work in a variety of industries and have been a strong supporter of open source and virtualization. My goal here is to provide a forum of information where when you're brain dead hopefully myself or one of our members can work together in the spirit of open source and resolving those brain dead moments. You can request a consultation with me on Maven.

Leave a Reply