Logon and Logoff events for a PC running Vista or above are logged to the Security section of Event Viewer. If you’re looking for a particular event at a particular time, you can browse through manually with a bit of filtering in the Event Viewer GUI and find what you need.
On a larger scale though, this doesn’t make sense. If you’re looking at multiple users or multiple events, the task gets tedious very quickly.
Logon and Logoff events on a domain will be logged against the closest domain controller, but unless you’re piping these logs elsewhere (which I briefly talked about here on Tech Target), the DC’s logs will quickly fill up and cycle off. Also, the user may have authenticated against multple DCs, or other scenarios such as an offline laptop user first logging in locally before being on the network.
A PC keeping only it’s own security logs will go back a lot further (over a month hopefully!) so there’s a lot of data to obtain.
There’s an older Microsoft Technet article that covers this briefly called Tracking User Logon Activity Using Logon Events which has some useful information, includoing the Event IDs:
Logon Event ID 4624
Logoff Event ID 4634
Now, you can filter the event viewer to those Event IDs using Event Viewer, but you can’t filter out all the noise around anything authenticating to and from the PC you’re investigating.
One way of doing this is of course, PowerShell.
Then I read this Technet article – PowerShell Get-WinEvent XML Madness: Getting details from event logs which backed up what I was experiencing, such as “The bad: All of a sudden reading event logs gets complicated. The filtering in particular requires some crazy syntax.”
This all started to get too hard, and I couldn’t get my head around the code or get it to work!
Finally, I found someone who’d created a very nice script that did everything I wanted: Security Log Logon/Logoff Event Reporter
The script doesn’t need any parameters to run, just asks for which PC, date range, if you want to only see failed logins (which I don’t for this scenario), and then how to display the information.
Sometimes it takes a lot of research and time to just use someone else’s script and be done with it 🙂
As @GirlGerms pointed out, many people just lock their workstation rather than logging off/on. In that case, these are the two Event IDs:
Workstation Locked Event ID 4800
Workstation Unlocked Event ID 4801
The script I found doesn’t include these, but appears very easy to adjust to see those results too. None of this works if the person doesn’t lock their PC, and never logs off so it’s hardly an all encompassing method.