Let me paint a picture for you: High level exec walks in and says someone has been on his computer. “I want to know every time someone has logged into my computer in the last month!”
Okay, not so bad. Get into the event viewer of the machine either locally or remotely, go to your Security log, and filter by Event ID 4624. Should be pretty simple to determine from there right? Well, if only that were so. I’m going to lean very heavily on the Microsoft doc for this event found here. As it states in the mentioned doc, Event ID 4624:
This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
This includes service account, network services, SYSTEM services…all of it. There is a lot of junk to get through!!! So as you dig further into the information given by the event, you will notice a row titled “Logon Type.” Ah Microsoft didn’t leave us out to dry! This allows us to filter down to only the logon types we care about, but what ones are those exactly? Well that will depend on your situation. See below for the different types:
Now in my case I was interested in Logon types 2, 3, 7, and 10. So how do you filter down? It’s not like the Event Viewer filter lets you specify certain data beyond an Event ID. Well actually it does, it’s just a bit trickier. Here’s how I did it:
1. In Event Viewer, right click on Custom Views and select Create Custom View
2. In the “Event logs” section to the right of “By log” select the Security Windows log
3. Input 4624 in the “<All Event IDs>” box
4. Select the “XML” tab
5. Select the “Edit query manually” on the bottom
6. You will get an Event Viewer warning. Select Yes to continue.
7. Change the Select Path line to the following, subbing in/out what Login Types you want to filter by changing the number after Data= (Source)
<Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=3 or Data=7 or Data=10)]]</Select>
Click OK and you are all set! You can filter by as many or little as you like, just follow the syntax convention above.