Event Viewer - Monitor User Account Activity in Windows 8
Old geek, new tricks
Join Date: Jul 2009
Location: A Finnish ex-pat in Leipzig, Germany
Create Event Viewer Log Entries when Users Log in or Log off or Manipulate User Accounts in Windows 8
If you are the sole user of your PC you do most probably not need to monitor and log every attempt to log in, log out, attempts to change or reset a user password and so on. For those who are administrators of a PC used by several users the ability to monitor who's done what and when can be really important.
There are several third party solutions for this purpose. However, I would like to offer you a native Windows solution without buying and / or downloading anything. Some might argue that various third party applications do better job easier. I am not sure of this; Windows Event Logging and Event Viewer are terrible tools when customized to do what you want to.
This tutorial will help show how to have Event Viewer log entries created for every log in, log off, lock PC, unlock PC, reset or change password, and so on on your Windows 8 Pro and Enterprise PC.
Edit Audit Policy for Logon Events and Account Management
1. Press Win + W to open Charms Search for Settings, type Policy and hit Enter to open Group Policy Editor
2. On the left pane browse to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
3. Double click Audit account logon events on the right pane.
4. Under Audit these attempts select both Success and Failure. Click OK to save settings
5, Repeat the steps 3. and 4. for both Audit account management and Audit logon events
6. Close Group Policy Editor
Select events you want to monitor
You can of course decide yourself which events to monitor, the below is only my recommendation. Complete list of events: Event-o-Pedia Windows 2008 (also valid for Windows 8).
I have set my computers to monitor following events:
| Event ID
|| An account was successfully logged on
|| An account failed to log on
|| User initiated logoff
|| A user account was created
|| An attempt was made to change an account's password
|| An attempt was made to reset an account's password
|| A user account was deleted
|| PC was locked
|| PC was unlocked
|| Screensaver ON
|| Screensaver OFF
Create a customized filter in Event Viewer to monitor your events
1. Press Win + W to open Charms Search for Settings, type Event and hit Enter to open Event Viewer
2. Browse to Windows Logs > Security on the left pane, click Filter Current Log on Actions pane on the right
3. Set a time period of your choice and type the event IDs from Part 2 to the Includes / Excludes text field. If the Part 2. list of events is what you want to you can alternatively copy and paste the below string:
4. Click OK to create a customized event filter
5. Click Save Filter to Custom View, name your filter and click OK
6. You will now see your filter in Event Viewer
That's it. Now you can monitor who has logged in and when, who tried to reset a password, when was the PC locked and so on. Here for instance, I logged out at quarter past 10 PM from my desktop, then logged back in remotely from a laptop about half an hour later:
In the beginning it can be quite confusing to read Event Logs. When you for instance log out, there's not only one logoff event to see but instead several; the internal services are also logging out together with you. A little bit practise and before you even notice it you have learned to find the correct entries.