Windows 8 and 8.1 Forums


Event Viewer - Monitor User Account Activity in Windows 8

  1. #1
    Event Viewer - Monitor User Account Activity in Windows 8

    Event Viewer - Monitor User Account Activity in Windows 8
    Create Event Viewer Log Entries when Users Log in or Log off or Manipulate User Accounts in Windows 8
    Published by Kari is offline
    15 Apr 2013
    Default Event Viewer - Monitor User Account Activity in Windows 8

    Published by


    Kari's Avatar
    Old geek, new tricks



    Join Date: Jul 2009
    Location: A Finnish ex-pat in Leipzig, Germany
    Posts: 1,452

    Create Event Viewer Log Entries when Users Log in or Log off or Manipulate User Accounts in Windows 8

    information   Information
    If you are the sole user of your PC you do most probably not need to monitor and log every attempt to log in, log out, attempts to change or reset a user password and so on. For those who are administrators of a PC used by several users the ability to monitor who's done what and when can be really important.

    There are several third party solutions for this purpose. However, I would like to offer you a native Windows solution without buying and / or downloading anything. Some might argue that various third party applications do better job easier. I am not sure of this; Windows Event Logging and Event Viewer are terrible tools when customized to do what you want to.

    This tutorial will help show how to have Event Viewer log entries created for every log in, log off, lock PC, unlock PC, reset or change password, and so on on your Windows 8 Pro and Enterprise PC.





    Event Viewer - Monitor User Account Activity in Windows 8 Part 1 Event Viewer - Monitor User Account Activity in Windows 8
    Edit Audit Policy for Logon Events and Account Management


    1. Press Win + W to open Charms Search for Settings, type Policy and hit Enter to open Group Policy Editor

    2. On the left pane browse to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

    3. Double click Audit account logon events on the right pane.

    Click image for larger version

    4. Under Audit these attempts select both Success and Failure. Click OK to save settings

    Name:  2013-04-15_214233.png
Views: 18981
Size:  13.4 KB

    5, Repeat the steps 3. and 4. for both Audit account management and Audit logon events

    6. Close Group Policy Editor




    Event Viewer - Monitor User Account Activity in Windows 8 Part 2 Event Viewer - Monitor User Account Activity in Windows 8
    Select events you want to monitor


    You can of course decide yourself which events to monitor, the below is only my recommendation. Complete list of events: Event-o-Pedia Windows 2008 (also valid for Windows 8).

    I have set my computers to monitor following events:

    Event ID Action
    4624 An account was successfully logged on
    4625 An account failed to log on
    4647 User initiated logoff
    4720 A user account was created
    4723 An attempt was made to change an account's password
    4724 An attempt was made to reset an account's password
    4726 A user account was deleted
    4800 PC was locked
    4801 PC was unlocked
    4802 Screensaver ON
    4803 Screensaver OFF




    Event Viewer - Monitor User Account Activity in Windows 8 Part 3 Event Viewer - Monitor User Account Activity in Windows 8
    Create a customized filter in Event Viewer to monitor your events


    1. Press Win + W to open Charms Search for Settings, type Event and hit Enter to open Event Viewer

    2. Browse to Windows Logs > Security on the left pane, click Filter Current Log on Actions pane on the right

    3. Set a time period of your choice and type the event IDs from Part 2 to the Includes / Excludes text field. If the Part 2. list of events is what you want to you can alternatively copy and paste the below string:
    Code:
    4624,4625,4647,4720,4723,4724,4726,4800-4803
    Click image for larger version

    4. Click OK to create a customized event filter

    5. Click Save Filter to Custom View, name your filter and click OK

    Name:  Audit_3.png
Views: 18888
Size:  12.9 KB

    6. You will now see your filter in Event Viewer

    Name:  Audit_4.png
Views: 18932
Size:  7.9 KB



    That's it. Now you can monitor who has logged in and when, who tried to reset a password, when was the PC locked and so on. Here for instance, I logged out at quarter past 10 PM from my desktop, then logged back in remotely from a laptop about half an hour later:

    Click image for larger version


    In the beginning it can be quite confusing to read Event Logs. When you for instance log out, there's not only one logoff event to see but instead several; the internal services are also logging out together with you. A little bit practise and before you even notice it you have learned to find the correct entries.

    Kari


  2. #1


    Posts : 1
    Windows 8

    Logon entry frustration


    Hi Kari, with all your knowledge and experience playing with these group policies, have you ever found the event id or how to record the credentials used via UAC to install software or modify settings?
    It is a particular problem we have, where a clients system has several staff authorised to install software or make minor modifications, but of course when we find something has been installed or changed, no one claims any knowledge of doing this. (They are meant to fill in forms that are returned to us to update our database with what has been changed on each workstation).
    Surely there must be somewhere a local machine can record the credentials used to confirm UAC requests?
    But all my searching so far has been fruitless. Yours is the first decent article I have found on recording access logon events, so thought you may have some alternative knowledge or angles you can think of, hopefully.

    Best regards
    Gregg

      My System SpecsSystem Spec

  3. #2


    A Finnish ex-pat in Leipzig, Germany
    Posts : 1,452
    Windows 8.1 Pro with Media Center


    I am afraid that information might be really difficult, if not impossible to get. Please see this article for more explanation: Windows Security Log Event ID 4648 - A logon was attempted using explicit credentials

    Kari
      My System SpecsSystem Spec

Event Viewer - Monitor User Account Activity in Windows 8
Related Threads
Event Viewer - Event Log Online Help in Performance & Maintenance
Hi, I am new to the forum and have searched to see if I can find a fix for my issue. My issue is whenever I use the Event Log Online Help link in any Event Notification all I get is transferred to this page Page Not Found I am new to Windows 8 but I used this service regularly with XP. I...
keep getting it logged as an error. I have gone into Adjust Date and Time\Internet Time\and it is set to automatically synchronize with time.windows.com and on a scheduled basis. When I try to update or change the setting I get an error message that an error occurred while windows was...
While playing war thunder on steam my screen went black and i couldn't do anything. I restart my computer and play again it crashes. After one more time i look at my event viewer and find critical error event ID:41. I don't whether its the game or my pc.
I started up my computer and Windows explorer randomly froze up and hung. I didnt do anything to provoke it. I just sat here waiting for my computer to boot up. Then when I thought it was finished I opened firefox. Then Windows explorer just freezes completely. I tried doing windows key + r....
:confused:Getting Thousands of Errors 240 in Event Viewer under Application and Service Logs, Microsoft, Windows, Application Resource Management System. Have been pulling my hair out over this one Have tried everything I have found elsewhere. Anyone have the answer.
I've noticed an intriguing event in Event viewer... Log Name: Application Source: Microsoft-Windows-Security-SPP Date: 25. 1. 2013. 8:13:00 PM Event ID: 8208 Task Category: None Level: Error Keywords: Classic User: N/A
Is there any way to increase the detail at which the Event Viewer logs events, or add logs for specific devices?
Eight Forums Android App Eight Forums IOS App Follow us on Facebook