Windows Security Log Event ID 4801

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Logon/Logoff
 • Other Logon/Logoff Events
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 4801
How do you identify this at the Domain controller in 2008 or newer?

4801: The workstation was unlocked

On this page

When a user unlocks his workstation you will see this event.

To find out when the workstation was previously locked look backwards in time for for event ID 4800.

If a screen saver is used, there is also a relationship between this event and 4802 (screen saver invoked) and 4803 (screen saver dismissed). For Interactive logons you may see this event or 4803. See event ID 4802 for the sequence of events.

Free Security Log Resources by Randy

Description Fields in 4801

Subject:

The user and logon session involved.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Supercharger Free Edition

 

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 4801

The workstation was unlocked.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1be4b
   Session ID: 1

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources