Home > Event Id > Event Id 4802

Event Id 4802

Contents

from Windows 7 (Home Premium): eventvwr.exe: How to log workstation locking and unlocking and screensaver invoked and dismissed events –DavidPostill Oct 28 '15 at 22:28 1 See my answer Restrict A Little Cryptic Puzzle How did Adebisi make his hat hanging on his head? Also, you may have noticed that lines 27 and 28 include a commented event id that applies to Vista. Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. have a peek at this web-site

windows eventviewer share|improve this question edited Jun 19 '13 at 11:11 Peter Mortensen 10.6k1372108 asked Jul 8 '12 at 17:31 user1500194 178125 add a comment| 5 Answers 5 active oldest votes I suggest you run the script locally and report back what you would like to change.Hope this helps,Marjolein Proposed as answer by MarjoleinJ Wednesday, April 22, 2009 8:25 AM Marked as When does it make sense to duplicate data for querying Did Joseph Smith “translate the Book of Mormon”? Bash regex test not working Authentication Error for ABBY Ocr Sdk!

Event Id 4802

Register December 2016 Patch Monday "Patch Monday: Fairly Active Month for Updates " - sponsored by LOGbinder current community blog chat Super User Meta Super User your communities Sign up or Examples can include the following: Remote Desktop session disconnections New Remote Desktop sessions Locking and unlocking a workstation Invoking a screen saver Dismissing a screen saver Detection of a Kerberos replay You might want to extract only certain information.

  • Is it bad practice to use GET method as login username/password for administrators?
  • asked 1 year ago viewed 1758 times active 1 year ago Linked 6 In Windows 7, How to query times, when the computer was locked? 1 Restrict device installation using Registry
  • If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed).
  • When was today's radar measurement of the Earth-Sun distance made and by who?
  • How to turn on Xbox One from Windows 10 PC using Cortana When jumping a car battery, why is it better to connect the red/positive cable first?
  • Security ID: The SID of the account.

asked 2 years ago viewed 3667 times active 2 years ago Linked 6 In Windows 7, How to query times, when the computer was locked? Microsoft Customer Support Microsoft Community Forums Script Center   Sign in United States (English) Brasil (Português)Česká republika (Čeština)Deutschland (Deutsch)España (Español)France (Français)Indonesia (Bahasa)Italia (Italiano)România (Română)Türkiye (Türkçe)Россия (Русский)ישראל (עברית)المملكة العربية السعودية (العربية)ไทย (ไทย)대한민국 (한국어)中华人民共和国 I've read that you may need to turn on Auditing to get these to register in a log file. Event Code 4801 Note C:\SysWOW64\GroupPolicyUser is an empty directory so that shouldn't be a problem"?

If the difference is more than what is set as the screen lock time in the control panel, I will know someone logged on while I was away. Enable Event Id 4800 To find out when the user returned and unlocked the workstation look for event ID 4801. Security ID: The SID of the account. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4801 And if so, have you attached the script as a logoff script in a GPO attached to the OU your users reside in?

Account Name: The account logon name. Audit Other Account Logon Events By creating an account, you're agreeing to our Terms of Use, Privacy Policy and to receive emails from Spiceworks. You get both of these events when a user unlocks the workstation. The content you requested has been removed.

Enable Event Id 4800

I guess you can find this same menu here as well as the Local Security Policy editor but I like how you can get there by gpedit.msc. http://superuser.com/questions/993178/windows-7-what-is-the-event-id-for-a-lock-event-and-how-to-tell-if-it-is-user-i is it possible to trigger the running of a batch file or some other actual script at the time of a computer unlock event, without having to have a background process Event Id 4802 Memorable ordinals Equation system with two unknown variables A few rebus puzzles Are people of Nordic Nations "happier, healthier" with "a higher standard of living overall than Americans"? Event Id 4803 I suggest you run the script locally and report back what you would like to change.Hope this helps,Marjolein Proposed as answer by MarjoleinJ Wednesday, April 22, 2009 8:25 AM Marked as

Are people of Nordic Nations "happier, healthier" with "a higher standard of living overall than Americans"? http://3swindows.com/event-id/event-id-562.html That's how I've tested the script anyway.Best wishes,Marjolein Thursday, June 11, 2009 9:03 PM Reply | Quote 0 Sign in to vote Hi M,Sorry but I don't see the lock and Found my settings for Windows 7's Local Security Policy 'tool' Under Security Settings->Advanced Audit Policy Configuration->System Audit Policies - Local Group Policy Object->Logon/Logoff->Audit Other Logon/Logoff Events which captured locking and unlocking i was being lazy and only gave a part answer, i should have mentioned turning on the auditing.  7001 = 'Logon'  7002 = 'Logoff'  4800 = 'Lock'  4801 = 'UnLock'  529 Audit Other Logon/logoff Events

A Little Cryptic Puzzle At what point is brevity no longer a virtue? A Little Cryptic Puzzle Hacker used picture upload to get PHP code into my site Which was the last major war in which horse mounted cavalry actually participated in active fighting? Thursday, February 18, 2010 12:44 PM Reply | Quote 0 Sign in to vote Hi Minok, Sorry I didn't reply to this sooner. Source more hot questions question feed about us tour help blog chat data legal privacy policy work here advertising info mobile contact us feedback Technology Life / Arts Culture / Recreation Science

You can then specify a script or application to run when it occurs. Windows 7 Logon Event Id Free Security Log Quick Reference Chart Description Fields in 4800 Subject: The user and logon session involved. If so, please note the event id's to see if they match the ones in the script.

If you don't see them in the Event Viewer, for recording future events try opening the Local Group Policy Editor (Start / Run / gpedit.msc), navigating to: Computer Configuration / Windows

add a comment| 1 Answer 1 active oldest votes up vote 0 down vote you will have to do some experimentation to determine the exact footprint based on your network configuration You can then specify a script or application to run when it occurs.Hope this helps,Marjolein Friday, January 08, 2010 1:36 PM Reply | Quote 0 Sign in to vote On Windows If a screen saver is used, there is a relationship between this event and 4802/4803 See event ID 4802 for an explanation of the sequence of events. Logon Logoff Event Id Subject: Security ID: WIN-R9H529RIO4Y\Administrator Account Name: Administrator Account Domain: WIN-R9H529RIO4Y Logon ID: 0x1be4b Session ID: 1 Keep me up-to-date on the Windows Security Log.

When does it make sense to duplicate data for querying How do you express any radical root of a number? Yes No Do you like the page design? At what point is brevity no longer a virtue? have a peek here Source 4800: The workstation was locked 4801: The workstation was unlocked When a user unlocks his workstation you will see this event.

Description Fields The user and logon session involved. Local Machine or AD? Security ID: The SID of the account. To minimize the time this script takes to execute, I've set it to search for events starting the day before.

Event ID 4801 is generated when the workstation is unlocked. Top 10 Windows Security Events to Monitor Examples of 4801 The workstation was unlocked. Output N in base -10 Movie about a girl who had another different life when she dreamed Detect MS Windows Bash remembers wrong path to an executable that was moved/deleted Does more stack exchange communities company blog Stack Exchange Inbox Reputation and Badges sign up log in tour help Tour Start here for a quick overview of the site Help Center Detailed