How to do Logon Session Auditing with the Windows Security Log

Webinar Registration

How do you figure out when someone was actually logged onto their PC?  The data is there in the security log but it’s so much harder than you’d think.

First of all, while I said it’s in the security log, I didn’t say which one.  The bad news it isn’t in the domain controller log.  Domain controllers know when you logon but they don’t know when you logoff. This is because domain controllers just handle initial authentication to the domain and subsequent authentications to each computer on the network.  These are reflected as Kerberos events for Ticket-Granting Tickets and Service Tickets respectively.  But domain controllers are not contacted and have no knowledge when you logoff, lock your console, sleep or hibernate or when your screen saver kicks in. 

Logon session auditing isn’t just a curious technical challenge.  At every tradeshow and conference I go to people come to me with various security and compliance requirements where they need this capability.  In fact one of the cases where I’ve been consulted as an expert witness centered around the interpretation of logon events for session auditing.

So the absolute only way to track actual logon sessions is to go to the workstation’s security log.  There you need to enable 3 audit subcategories:

  • Logon
  • Logoff
  • Other Logon/Logoff

In this webinar I’ll explain how those categories work and the events they generate including:

  • 4624 - An account was successfully logged on
  • 4634 - An account was logged off
  • 4647 - User initiated logoff
  • 4778 - A session was reconnected to a Window Station
  • 4779 - A session was disconnected from a Window Station
  • 4800 - The workstation was locked
  • 4801 - The workstation was unlocked
  • 4802 - The screen saver was invoked
  • 4803 - The screen saver was dismissed

Moreover we’ll discuss how to correlate these events because that’s what it’s all about when it comes to figuring out logon sessions.  It is by no means a cakewalk.  Matching these events is like sequencing DNA but the information is there and I’ll show you how to tease it out.

This will be a super technical real training for free ™ webinar sponsored by Dell Software and Tim Sedlack will enrich the event by briefly showing you new functionality in Change Auditor which simplifies the whole process of logon session auditing by producing a single, actual session event.  Brilliant!

Don’t miss this educational and technical session.  Please register now!

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  
How many employees in your organization?:
Organization Type :

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources