Hello,
Thank you for your post.
Unfortunately, for Windows XP workstation, no event is recorded when a
workstation is locked manually or locked by screen saver. Only unlock event
will be recorded when the workstation is unlocked. To audit the unlock
events, you need to enable logon/logoff auditing for successful and failed
events on XP workstations.
To do this, please:
1. Click Start -> Control Panel -> Administrative Tools -> Local Security
Policy
2. Click the left snap-in and extend Local Policies
3. Open Audit logon events in Audit Policy and check the Success and
Failure boxes and press OK.
After that, you could see unlock event in Event Viewer -> Security logs.
Unlock Event is a pair of events (ID 528+ ID538) with logon type 7.
We understand that it is useful to record the computer lock and unlock
information. So in Windows Vista and Windows Server 2008, there is an
improvement that both lock and unlock events are recorded. Like Windows XP
workstation, you need to enable logon/logoff auditing for successful and
failed events on the workstation to audit the lock and unlock events.
The following is a snippet of Vista/Windows Server 2008 Logon/Logoff Event
IDs.
<event value="0x00001210"
symbol="SE_AUDITID_ETW_SUCCESSFUL_LOGON"/> (Event ID 0x1210 = 4624)
<event value="0x00001211"
symbol="SE_AUDITID_ETW_LOGON_FAILURE"/>
<event value="0x0000121A"
symbol="SE_AUDITID_ETW_LOGOFF"/>
<event value="0x00001227"
symbol="SE_AUDITID_ETW_BEGIN_LOGOFF"/>
<event value="0x00001228"
symbol="SE_AUDITID_ETW_LOGON_USING_EXPLICIT_CREDENTIALS"/>
<event value="0x000012C0"
symbol="SE_AUDITID_ETW_WORKSTATION_LOCKED"/>
<event value="0x000012AA"
symbol="SE_AUDITID_ETW_SESSION_RECONNECTED"/>
<event value="0x000012AB"
symbol="SE_AUDITID_ETW_SESSION_DISCONNECTED"/>
<event value="0x000012C1"
symbol="SE_AUDITID_ETW_WORKSTATION_UNLOCKED"/>
<event value="0x000012C2"
symbol="SE_AUDITID_ETW_SCREENSAVER_INVOKED"/>
<event value="0x000012C3"
symbol="SE_AUDITID_ETW_SCREENSAVER_DISMISSED"/>
I hope this helps. Thanks.
Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.