cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Registering locking and unlocking of workstations

Hello Fellow Thwackers,

I am trying to see if I can register locking and unlocking of workstations.  This is more of an automated way to do a little grassroots testing, but wanted to see if it could be down.  I know it is Microsoft-Windows-Security Auditing 4800/4801, but I am not sure that LEM is built to capture that information.  Has anybody tried this?  If so, what is in your bag of tricks to make this happen.

Help????

Labels (2)
5 Replies
Level 9

Thank you so much everybody.  All the answers have been super helpful.  I also used the ProviderSID as well (Microsoft-Windows-Security-Auditing 4800/4801) which with all your help was able to narrow down exactly what I was looking for.

Again, thank you all for your help

"All Hail Thwackers"

Product Manager
Product Manager

So, a super crappy thing to note here, in my experience to date the "lock" event only gets fired when the "unlock" event gets fired, and not when the workstation actually gets locked. I really hope this changed in Windows 10, but every other version I worked with didn't actually log the lock until it logged the unlock, and you see them together

Level 15

As a requirement to getting those events, you will need to be running the LEM Agent on your workstations (workstations do not replicate "lock" and "unlock" events to the DCs).  You'll also need to make sure that your Windows Audit Policy (whether in local or GPO) is setup to tell Windows to make those events.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4800

Category
• Subcategory
Logon/Logoff
Other Logon/Logoff Events
TypeSuccess

If both of these things are true, than jhynds​'s answer is one of multiple ways to find those lock and unlock events.

Without enabling that event ID GPO, does the events logged in Local PC or domain controllers?

0 Kudos
Product Manager
Product Manager

Hey,

LEM can detect the Logon Type - you can then create a filter/rule to capture Lock/Unlock events.

Lock:

pastedImage_0.png

Filter Conditions:

pastedImage_2.png

Unlock:

pastedImage_1.png

Filter Conditions:

pastedImage_3.png

Equally you could create a filter based on the event ID's (4800/4801)

Hope that helps!