Event Viewer - Monitor User Account Activity in Windows 8

Create Event Viewer Log Entries when Users Log in or Log off or Manipulate User Accounts in Windows 8

information   Information
If you are the sole user of your PC you do most probably not need to monitor and log every attempt to log in, log out, attempts to change or reset a user password and so on. For those who are administrators of a PC used by several users the ability to monitor who's done what and when can be really important.

There are several third party solutions for this purpose. However, I would like to offer you a native Windows solution without buying and / or downloading anything. Some might argue that various third party applications do better job easier. I am not sure of this; Windows Event Logging and Event Viewer are terrible tools when customized to do what you want to.

This tutorial will help show how to have Event Viewer log entries created for every log in, log off, lock PC, unlock PC, reset or change password, and so on on your Windows 8 Pro and Enterprise PC.





Part 1

Edit Audit Policy for Logon Events and Account Management



1. Press Win + W to open Charms Search for Settings, type Policy and hit Enter to open Group Policy Editor

2. On the left pane browse to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

3. Double click Audit account logon events on the right pane.
2013-04-15_214141.png

4. Under Audit these attempts select both Success and Failure. Click OK to save settings
2013-04-15_214233.png

5, Repeat the steps 3. and 4. for both Audit account management and Audit logon events

6. Close Group Policy Editor




Part 2

Select events you want to monitor



You can of course decide yourself which events to monitor, the below is only my recommendation. Complete list of events: Event-o-Pedia Windows 2008 (also valid for Windows 8).

I have set my computers to monitor following events:

Event ID

Action

4624

An account was successfully logged on

4625

An account failed to log on

4647

User initiated logoff

4720

A user account was created

4723

An attempt was made to change an account's password

4724

An attempt was made to reset an account's password

4726

A user account was deleted

4800

PC was locked

4801

PC was unlocked

4802

Screensaver ON

4803

Screensaver OFF




Part 3

Create a customized filter in Event Viewer to monitor your events



1. Press Win + W to open Charms Search for Settings, type Event and hit Enter to open Event Viewer

2. Browse to Windows Logs > Security on the left pane, click Filter Current Log on Actions pane on the right

3. Set a time period of your choice and type the event IDs from Part 2 to the Includes / Excludes text field. If the Part 2. list of events is what you want to you can alternatively copy and paste the below string:
Code:
4624,4625,4647,4720,4723,4724,4726,4800-4803
Audit_1.png

4. Click OK to create a customized event filter

5. Click Save Filter to Custom View, name your filter and click OK
Audit_3.png

6. You will now see your filter in Event Viewer
Audit_4.png

That's it. Now you can monitor who has logged in and when, who tried to reset a password, when was the PC locked and so on. Here for instance, I logged out at quarter past 10 PM from my desktop, then logged back in remotely from a laptop about half an hour later:
Audit_2.png

In the beginning it can be quite confusing to read Event Logs. When you for instance log out, there's not only one logoff event to see but instead several; the internal services are also logging out together with you. A little bit practise and before you even notice it you have learned to find the correct entries.

:) Kari


 

Attachments

  • Event_Viewer.png
    Event_Viewer.png
    10.6 KB · Views: 284
Last edited by a moderator:
Logon entry frustration

Hi Kari, with all your knowledge and experience playing with these group policies, have you ever found the event id or how to record the credentials used via UAC to install software or modify settings?
It is a particular problem we have, where a clients system has several staff authorised to install software or make minor modifications, but of course when we find something has been installed or changed, no one claims any knowledge of doing this. (They are meant to fill in forms that are returned to us to update our database with what has been changed on each workstation).
Surely there must be somewhere a local machine can record the credentials used to confirm UAC requests?
But all my searching so far has been fruitless. Yours is the first decent article I have found on recording access logon events, so thought you may have some alternative knowledge or angles you can think of, hopefully.

Best regards
Gregg
 

My Computer

System One

  • OS
    Windows 8
    Computer type
    Laptop
    System Manufacturer/Model
    Heap Of Puss (HP)
    CPU
    Intel i7-3632QM
    Motherboard
    HP
    Memory
    8GB
    Graphics Card(s)
    Intel HD 4000 and AMD Radeon HD 7650M
    Browser
    IE and Firefox
    Antivirus
    Windows Defender

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center
    Computer type
    Laptop
    System Manufacturer/Model
    HP ENVY 17-1150eg
    CPU
    1.6 GHz Intel Core i7-720QM Processor
    Memory
    6 GB
    Graphics Card(s)
    ATI Mobility Radeon HD 5850 Graphics
    Sound Card
    Beats sound system with integrated subwoofer
    Monitor(s) Displays
    17" laptop display, 22" LED and 32" Full HD TV through HDMI
    Screen Resolution
    1600*900 (1), 1920*1080 (2&3)
    Hard Drives
    Internal: 2 x 500 GB SATA Hard Disk Drive 7200 rpm
    External: 2TB for backups, 3TB USB3 network drive for media
    Cooling
    As Envy runs a bit warm, I have it on a Cooler Master pad
    Keyboard
    Logitech diNovo Media Desktop Laser (bluetooth)
    Mouse
    Logitech MX1000 Laser (Bluetooth)
    Internet Speed
    50 MB VDSL
    Browser
    Maxthon 3.5.2., IE11
    Antivirus
    Windows Defender 4.3.9431.0
    Other Info
    Windows in English, additional user accounts in Finnish, German and Swedish.
Back
Top