Windows Security Log Event ID 4801

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Logon/Logoff
 • Other Logon/Logoff Events
Type Success
Corresponding events
in Windows 2003
and before
 

4801: The workstation was unlocked

On this page

When a user unlocks his workstation you will see this event.

To find out when the workstation was previously locked look backwards in time for for event ID 4800.

If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed). For Interactive logons you may see this event or 4803. See event ID 4802 for the sequence of events.

Free Security Log Resources by Randy

Description Fields in 4801

Subject:

The user and logon session involved.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 4801

The workstation was unlocked.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1be4b
   Session ID: 1

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources