1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Logon/Logoff Events

Discussion in 'Windows Security' started by TonyN, Sep 9, 2009.

  1. TonyN

    TonyN Guest

    Hello Everyone: I'm not sure if this is the right group for this question,
    but if not, perhaps someone can redirect me. Anyway, I am interested in
    tracking user Logon/Logoff times using the Windows Event records. My
    situation is that I have several public use computers running Windows/XP with
    SteadyState to control the user accounts, and it is mainly the accounts
    defined to SteadyState that I want to monitor. If I look at the Event Viewer
    after a Logon/Logoff sequence, I see the following records (Event ID):

    Logon: 528, 576, 538, 538 576
    Logoff: 551

    Is this sequence of records normal and predictable i.e. can I depend on them
    for monitoring purposes? If possible I need to track all Logon events and
    Logoff events resulting from 1) the user logging off (i.e. clicking Start =>
    Log Off), 2) a log off resulting from a time out, and, 3) the computer being
    powered off.

    Thanks. . .

    Tony N.
     
    TonyN, Sep 9, 2009
    #1
  3. PA Bear [MS MVP]

    PA Bear [MS MVP] Guest

    Post here instead:

    Windows SteadyState Support Forum


    SteadyState Handbook


    SteadyState FAQ:
    (Published 10 Sept-07)
    --
    ~Robear Dyer (PA Bear)
    MS MVP-IE, Mail, Security, Windows Client - since 2002



    TonyN wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Hello Everyone: I'm not sure if this is the right group for this question,
    > but if not, perhaps someone can redirect me. Anyway, I am interested in
    > tracking user Logon/Logoff times using the Windows Event records. My
    > situation is that I have several public use computers running Windows/XP
    > with SteadyState to control the user accounts, and it is mainly the
    > accounts
    > defined to SteadyState that I want to monitor. If I look at the Event
    > Viewer
    > after a Logon/Logoff sequence, I see the following records (Event ID):
    >
    > Logon: 528, 576, 538, 538 576
    > Logoff: 551
    >
    > Is this sequence of records normal and predictable i.e. can I depend on
    > them
    > for monitoring purposes? If possible I need to track all Logon events and
    > Logoff events resulting from 1) the user logging off (i.e. clicking Start
    > =>
    > Log Off), 2) a log off resulting from a time out, and, 3) the computer
    > being
    > powered off.
    >
    > Thanks. . .
    >
    > Tony N. <!--colorc--><!--/colorc-->
     
    PA Bear [MS MVP], Sep 9, 2009
    #2

Share This Page