Author: Adam Fowler

Logon and Logoff Security Event Viewer Auditing

Posted on December 22, 2015July 30, 2022 by Adam Fowler

Update 30th July 2022 – TechNet links no longer work, but updated the script link to a github copy.

Original post:

Logon and Logoff events for a PC running Vista or above are logged to the Security section of Event Viewer. If you’re looking for a particular event at a particular time, you can browse through manually with a bit of filtering in the Event Viewer GUI and find what you need.

On a larger scale though, this doesn’t make sense. If you’re looking at multiple users or multiple events, the task gets tedious very quickly.

Logon and Logoff events on a domain will be logged against the closest domain controller, but unless you’re piping these logs elsewhere (which I briefly talked about here on Tech Target), the DC’s logs will quickly fill up and cycle off. Also, the user may have authenticated against multple DCs, or other scenarios such as an offline laptop user first logging in locally before being on the network.

A PC keeping only it’s own security logs will go back a lot further (over a month hopefully!) so there’s a lot of data to obtain.

There’s an older Microsoft Technet article that covers this briefly called Tracking User Logon Activity Using Logon Events which has some useful information, includoing the Event IDs:

Logon Event ID 4624
Logoff Event ID 4634

Now, you can filter the event viewer to those Event IDs using Event Viewer, but you can’t filter out all the noise around anything authenticating to and from the PC you’re investigating.

One way of doing this is of course, PowerShell.

There are two commands I found for this – Get-EventLog(link now dead) and Get-WinEvent(link now dead). I used Get-Eventlog as it seemed to be a bit easier to get the data I needed…. but I couldn’t get it exactly to work.

Then I read this Technet article – PowerShell Get-WinEvent XML Madness: Getting details from event logs (link now dead) which backed up what I was experiencing, such as “The bad: All of a sudden reading event logs gets complicated. The filtering in particular requires some crazy syntax.”

This all started to get too hard, and I couldn’t get my head around the code or get it to work!

Finally, I found someone who’d created a very nice script that did everything I wanted: Security Log Logon/Logoff Event Reporter

The script doesn’t need any parameters to run, just asks for which PC, date range, if you want to only see failed logins (which I don’t for this scenario), and then how to display the information.

Sometimes it takes a lot of research and time to just use someone else’s script and be done with it :)

Update:
As @GirlGerms pointed out, many people just lock their workstation rather than logging off/on. In that case, these are the two Event IDs:

Workstation Locked Event ID 4800
Workstation Unlocked Event ID 4801

The script I found doesn’t include these, but appears very easy to adjust to see those results too. None of this works if the person doesn’t lock their PC, and never logs off so it’s hardly an all encompassing method.

Lync is Experiencing Connection Issues with the Exchange Server

Posted on December 16, 2015December 16, 2015 by Adam Fowler

We are still running Lync 2010 server and client, so I’m not sure if this is an issue in later versions (or Skype For Business now) – but this problem still occurs in the most patched versions of Lync 2010.

The error “Lync is Experiencing Connection Issues with the Exchange Server” can be caused by many things. The Bytemedev wesbsite lists a lot of common client corruption type solutions to get around the problem.

Checking Lync client logs didn’t help much, and Lync connectivity in Configuration Information just showed an issue in connecting to EWS without any helpful details.

For my case (which has come up more than once), those fixes weren’t the issue. Another blog post got me onto the right track from NetworkAdminSecrets around having a corrupted contact. Lync will fail if it doesn’t like all the contacts in someone’s Contacts – and this includes the Suggested Contacts!

Above is the bad contact I found. Often it won’t like an Asian or European character, but this time it was a space (or some other symbol that’s just being represented by a space). It wasn’t even the saved address, it was the display name. This single record caused the problem.

The painful method I used to find the record was first to scroll through the entire list, looking for a weird character. Since I couldn’t find one, I then moved half of the contacts out, and seeing if the Lync client still complained after a logout/login. Repeating this processed kept narrowing down the contacts until I was left with a few, and could find what I was looking for.

Deleting or fixing the contact was all that was needed to resolve the issue!

Movie Ticket Competition for Australia! Merry Christmas :)

Posted on December 11, 2015December 19, 2015 by Adam Fowler

Just running a quick 7 day competition for 2 free movie tickets in Australia to see how it goes.
I’ve got a few tickets I won’t get time to use in the month before they expire, so happy to send them to someone who wants them!
Comment on this post, then fill in the form. No sharing of page or anything else required!

Email address used to contact winner only, no signups to anything else unless you tick the option to do so.

Prize is:

2 Standard HOYTS Unrestricted Adult e-Cine Gift

Pass admission to a movie of your choice to enjoy

at HOYTS Cinemas across Australia

Expiring 13th January 2016.

Hoyts Movie Ticket Giveaway

Update 19th Dec 2015
The winner has been drawn! Congrats Chris L – tickets have been emailed. For those wondering, the draw was done automatically by gleam.io which is what you’re seeing in the widget. All I did was click the button to draw it :)

KB3114409 Causes Outlook 2010 to run in Safe Mode

Posted on December 9, 2015January 6, 2016 by Adam Fowler

Appears to be a bad patch from Microsoft.

KB3114409 dated December 08 2015 has caused many users to only be able to launch Outlook in Safe Mode.

If you need to roll back, I wrote this recently on ‘Rolling back from a bad KB Update‘

Feel free to comment on your experience with this KB, I’ll update this post with any other information I find.

I also found this forum thread on Windows TenForums about the issue.

Update 10th December 2015:

Thanks for all the comments – glad it’s helped you all out. We’ll see if the patch gets reissued. Rehash of some of the details below:

Webmaster advises: This is being sold as an improvement: “Adds administrative support to prevent Outlook 2010 from booting into safe mode. Administrators set this function in some scenarios when they have add-ins that must be enabled.”

This technet article contains the key you can modify to stop Outlook going into Safe mode.

Alexej Kucher advises that: On a 64 bit machine with 32 Bit Outlook you have to create following registry key:
HKLM\Software\Wow6432Node\Microsoft\Office\14.0\Outlook\Security\ DWORD: DisableSafeMode = 1

Wayne DeJulia advises that the command to uninstall is: msiexec /package {90140000-0011-0000-0000-0000000FF1CE} MSIPATCHREMOVE={14CDCBF7-3CCC-42E2-A5BB-2D4926E16FAA} /qn /norestart

boozydaboozer advises: Looks like Microsoft has removed KB3114409 from Windows Update.

Update 6th Jan 2016
I’ve noticed clients keep getting prompted to uninstall this, so once your desktops are all unpatched, you will have to decline the update.

How Does NBN Get To Me?

Posted on December 3, 2015 by Adam Fowler

A lot of people have asked me questions like ‘What is NBN?’ or ‘How is it different’? Many people have had no exposure to the NBN so I thought I’d take the chance to briefly show how NBN gets to my house. I’ll speak in very general terms and avoid jargon as much as I can, and define a few commonly used terms.

For starters, NBN stands for ‘National Broadband Network’ – and without going into it’s entire poor history of how it got to where it is today, there’s a few different types of NBN:

Fixed Line

Fibre To The Premises (FTTP) – This is what I have, and it’s a fibre cable run from the exchange (as in, telephone exchange) all the way to your house. It’s considered the best generally.
Fibre To The Node (FTTN) – This is another fibre cable run, but goes to a node (a cabinet somewhere in your neighbourhood, closer than the exchange), and from there goes to copper to your house (i.e. your phone line).
Hybrid Fibre Coaxial (HFC) Cable – This is the older cable that Telstra and Optus use for Internet as well as Pay TV.

Wireless

Fixed Wireless – This invovles an antenna being placed on your premises, which gets signal from a base station. Speeds are much lower (max 25mbit down) than Fixed Line options, with higher latency.
Satellite – A dish is used rather than an antenna, and your data goes via a Satellite floating above the earth. Similar download speeds to Fixed Wireless but latency should be worse.

Personally I am lucky enough to have the pinnacle of NBN options – FTTP. A delicate thread of glass runs it’s way from the exchange all the way to the inside of my house.

Since I can’t get into the exchange easily, the journey of my fibre stars running along the telephone poles (many places have it underground instead) to the one outside my house:

Look at all those beautiful wires!

From there, just like the old copper cable, the fibre gets strung across to the corner of the roof. The highly professional ‘metal hook with weight thingy’ keeps the cable in place:

Wires everywhere

From the corner of the roof, the fibre is fed down into the NBN utility box (aka Premises Connection Device – PCD). Black cable in, white cable out. What magic happens in the middle? I don’t know as I couldn’t find anything online, but it most likely draws the line between the in-premise side of the fibre, and the off-premise fibre run.

Upside-down NBNCo PCD

From the PCD, the cable is then run into the roof cavity to get to the NBN Connection box. You’ll need a reasonable amount of wall space, and some ventilation room for this one:

Left: NBN Connection box. Right: Power Supply with Battery Backup (optional)

Taking the cover off of the NBN Connection box, you can see the little blue fibre cable being fed from the white shielding, looped around and fed into the Network Termination Device. Fibre is very delicate, with the added bonus of being able to blind yourself if you look into the end:

NBN Connection box with cover taken off

Here’s the below view of the Network Termination Device (NTD) inside the NBN Connection box. The first two ports on the left are voice ports, for a standard telephone service. Next up are the 4 broadband ports – my blue cable feeds off to a normal ADSL type router, that works with a WAN connection (such as NBN). Beyond that is the white power cable and of course the fibre cable. Note that you can’t just plug in to any port, the ISP will enable a particular port for you to use (or in my case from Internode, they’ll tell you ‘UNI-D 2’ on the paperwork but actually have ‘UNI-D 1’ as the active port!). You can have up to 4 seperate internet connections from this, but they’ll be on 4 separate bills.

Lower view of the NTD

Lastly, the Power Supply with Battery Backup. This is optional, but didn’t cost me anything extra. If there’s a power outage, this will give me 12 hours or so of power to the NTD. Handy just in case (keep in mind you’ll need some sort of power for your own router too for internet):

Big warning on the Battery Backup

With all this in place, and a high speed internet plan, this is the sort of speed I now get:

Faster than 98% of AU! :)

Without getting too political, if you don’t have FTTP NBN, you probably won’t get it in future, instead it’ll most likely be FTTN.

For details, check out http://www.nbnco.com.au/ as they’ve got a lot of good resources around the NBN.

Happy Internetting everyone!

Share this:

Share this:

Share this:

Share this:

Share this: