The Event Viewer is a very useful tool however, like any log management solution, the biggest hurdle can be filtering out the noise and returning only the meaningful log data that you care about.
This is a follow-up on a previous article which can be viewed here: Finding Human Logins in the Windows Event Viewer – Suppressing Everything Else
One of the most common requests is seeing who has been in and out of a box. To that end, I want to expand a bit more and talk about how to filter on the following three things… Username, Event ID, and Logon Type.
For this exercise you will need to know the persons username that you want to investigate, I am going to provide a bit of XML that you can use as a custom filter to search for all login events by a particular user and furthermore, will dive a little bit deeper and filter specifically on the “TYPE” login, something I didn’t talk about previously.
So here is our XML:
<Query Id="0" Path="Security">
So our above filter does the following (starting from the bottom up):
-Filters on event ID, in this case 4624, which is all successful authentication attempts.
-Filters on the username, in the example above “jdoe” is used.
-Filters on the logon type… of which there are several options represented by a numerical value which I will discuss now.
Credit goes to this site: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
2 Interactive (logon at keyboard and screen of system)
3 Network (i.e. connection to shared folder on this computer from elsewhere on network)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”) See this article for more information.
9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648.
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
Some of the numbers of interest to me are: 2, 3, 4, and 10.
If you drop a “2” in place of XX above it is only going to show you sessions where someone logged in to the box and was physically sitting in front of it (console session).
3 is going to show you someone coming across the network and authenticating remotely and 10 is specifically things like RDP sessions. If you have devs that setup scheduled tasks and use their own accounts to run them, four can show you when those jobs fire off.
To use the above code, open event viewer, on the left go to Windows Logs –> Security. On the far right in the Actions pane, select “Filter Current Log”. This brings up a new dialog box. In here, hit the “XML” tab and then tick the option to “Edit Query Manually” then just copy/paste the code above, modifying based on what I have explained to return the results you care about.
This was intentionally brief as I came across this on Stack Overflow/ServerFault and I am sure I will use it again in the future.