zoukankan      html  css  js  c++  java
  • Logon Session Times

    How to Get User Logon Session Times from the Event Log


    To figure out user session time, you’ll first need to enable three advanced audit policies; Audit Logoff, Audit Logon and Audit Other Logon/Logoff Events.

    The combination of these three policies get you all of the typical logon/logoff events but also gets the workstation lock/unlock events and even RDP connect/disconnects. This ensures we get all of the session start/stop events.

    When these policies are enabled in a GPO and applied to a set of computers, a few different event IDs will begin to be generated.  They are:

    • Logon – 4624 (Security event log)
    • Logoff – 4647 (Security event log)
    • Startup – 6005 (System event log)
    • RDP Session Reconnect – 4778 (Security event log)
    • RDP Session Disconnect – 4779 (Security event log)
    • Locked – 4800 (Security event log)
    • Unlocked – 4801 (Security event log)

    You’ll notice the startup event. Why that one? The reason is because what if the computer’s power plug is pulled while a user is logged in? How will we know when that is. It’s not a perfect metric but it’s the only date/time we have to show when that happened.

    Once we’ve got all of the IDs put together, we’ll then need to match the session start event with the very next session end event. But what if there are multiple users logging into a computer? To differentiate we can use the Logon ID field.  This is a unique field for each logon session. If we can find a session start time and then look up through the event log for the next session stop time with the same Logon ID we’ve found that user’s total session time.


    In this instance, you can see that the LABAdministrator account had logged in (ID 4624) on 8/27/2015 at 5:28PM with a Logon ID of 0x146FF6. I then looked up through the event log at the subsequent messages until I found a session end event (ID 4634) that showed up with the same Logon ID at 5:30PM on the same day. Knowing this Logon ID, I was then able to deduce that the LABAdministrator account had been logged on for three minutes or so.

    This was just a quick demonstration of actual logon/logoff scenarios. You’ll find that when you review a computer in the “real world” you can’t always depend on logon/logoff events if you’d like to find user session durations. Multiple scenarios may come into play such as when a user locks her computer and comes back to unlock it. Perhaps she may lock her computer and the power gets cut. There will be no unlock event; only a startup event. These are the gotchas you need to watch out for to be able to accurately calculate user session history.

     

    参考博文:

  • 相关阅读:
    C# 之 读取Word时发生 “拒绝访问” 及 “消息筛选器显示应用程序正在使用中” 异常的处理
    sctp和tcp的区别
    kmalloc/kfree,vmalloc/vfree函数用法和区别
    C语言中volatile关键字的作用
    嵌入式开发之NorFlash 和NandFlash
    linux中断--中断嵌套&中断请求丢失
    Linux 套接字编程中的 5 个隐患
    socket编程中write、read和send、recv之间的区别
    HTTP/1.1 Range和Content-Range
    探讨read的返回值的三种情况
  • 原文地址:https://www.cnblogs.com/thescentedpath/p/LogonSessionTimes.html
Copyright © 2011-2022 走看看