Sometimes you may need to to find out when the machine was locked and unlocked (for time booking for instance). Unfortunately, there is no such a thing as lock/unlock Windows events. When the user locks or unlocks the workstation a special Logon or Logoff event is created in the Windows Events Log with Logon Type = 7.
To filter all such events, you have to:
- Open the Windows Event Viewer
- On the left tree bar select Windows Logs > Security
- On the right bar click on “Filter Current Log…”
- Select the XML tab and click on “Edit query manually”
- Enter the below query:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[EventData[Data[@Name='LogonType']='7']
and
(System[(EventID='4634')] or System[(EventID='4624')])
]</Select>
</Query>
</QueryList>
For a full list of all available logon types, please refer to the table below:
| Logon type | Logon title | Description |
|---|---|---|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |