Screen Saver Lock Event ID

[BrianG]

Is there an event ID that can be/is written to the Security log when a screen
saver locks in WinXP, for either when the screen saver locks itself or if a
user manually locks it? I want to track the last time of the day when a
person has stopped using their computer. Thanks

 

[Laura Zhang[MSFT]]

The customer's goal could not be implemented in Windows XP.

Prior to Windows Vista there is no event when a workstation is locked.
Unlock is a pair of events (528+538) with logon type 7.

Starting in Windows Vista we have added explicit events for lock, unlock,
TS/FUS connect/disconnect, screen saver invoke and screen saver dismiss.
These are in the Security event log and are from event source
¡°Microsoft-Windows-Security-Auditing¡±. The event IDs are in the range
XXX-XXX.

You can dump the events yourself from a Vista or Windows Server 2008
machine:
http://blogs.msdn.com/ericfitz/archive/2007/07/31/documentation-on-the-windo
ws-vista-and-windows-server-2008-security-events.aspx

I would give you one note of caution- the events and timestamps for logoff
and lock workstation are unreliable- they do not PROVE that someone
accessed their machine for exactly that length of time. I discuss logoff
events here:
http://blogs.msdn.com/ericfitz/archive/2007/05/08/the-trouble-with-logoff-ev
ents.aspx

The problem with locking the workstation is that there is no way to
instrument the OS for someone who just backs away from the keyboard and
walks away. The screen saver, if configured, will come on after a
configurable delay since the last keypress or mouse movement. However the
workstation does not lock until the screen saver is dismissed (some of you
might have noticed that when you bump the mouse to dismiss the screensaver,
sometimes you see your desktop for a fraction of a second- that¡¯s because
your machine isn¡¯t locked while the screen saver is being displayed).




Best regards,

Laura Zhang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader:
microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
====================================================

 

[Jian-Ping Zhu [MSFT]]

Hello,

Thank you for your post.

Unfortunately, for Windows XP workstation, no event is recorded when a
workstation is locked manually or locked by screen saver. Only unlock event
will be recorded when the workstation is unlocked. To audit the unlock
events, you need to enable logon/logoff auditing for successful and failed
events on XP workstations.

To do this, please:

1. Click Start -> Control Panel -> Administrative Tools -> Local Security
Policy
2. Click the left snap-in and extend Local Policies
3. Open Audit logon events in Audit Policy and check the Success and
Failure boxes and press OK.

After that, you could see unlock event in Event Viewer -> Security logs.
Unlock Event is a pair of events (ID 528+ ID538) with logon type 7.

We understand that it is useful to record the computer lock and unlock
information. So in Windows Vista and Windows Server 2008, there is an
improvement that both lock and unlock events are recorded. Like Windows XP
workstation, you need to enable logon/logoff auditing for successful and
failed events on the workstation to audit the lock and unlock events.

The following is a snippet of Vista/Windows Server 2008 Logon/Logoff Event
IDs.

<event value="0x00001210"
symbol="SE_AUDITID_ETW_SUCCESSFUL_LOGON"/> (Event ID 0x1210 = 4624)
<event value="0x00001211"
symbol="SE_AUDITID_ETW_LOGON_FAILURE"/>
<event value="0x0000121A"
symbol="SE_AUDITID_ETW_LOGOFF"/>
<event value="0x00001227"
symbol="SE_AUDITID_ETW_BEGIN_LOGOFF"/>
<event value="0x00001228"
symbol="SE_AUDITID_ETW_LOGON_USING_EXPLICIT_CREDENTIALS"/>
<event value="0x000012C0"
symbol="SE_AUDITID_ETW_WORKSTATION_LOCKED"/>
<event value="0x000012AA"
symbol="SE_AUDITID_ETW_SESSION_RECONNECTED"/>
<event value="0x000012AB"
symbol="SE_AUDITID_ETW_SESSION_DISCONNECTED"/>
<event value="0x000012C1"
symbol="SE_AUDITID_ETW_WORKSTATION_UNLOCKED"/>
<event value="0x000012C2"
symbol="SE_AUDITID_ETW_SCREENSAVER_INVOKED"/>
<event value="0x000012C3"
symbol="SE_AUDITID_ETW_SCREENSAVER_DISMISSED"/>

I hope this helps. Thanks.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[BrianG]

I found an acceptable intermediate solution until we can go to WinVista or
higher:

By default, there is not an event log was recorded in the Security log when
a screen saver locks. But we can enable audit on the logon.scr file to record
the screen saver event in Security log by the following steps:

Note: we suppose use the logon.scr as the screen saver, you can change to
another .scr screen saver.

A: Enable “Audit object access “policy on the server
===========================
1. Click Start > Run, type Gpedit.msc
2. Navigate to Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy
3. In the details pane, double-click “Audit object accessâ€.
4. In the Audit object access Properties dialog box, check “Success†and
“Failure†on Local Security Setting tab.
5. Click OK.
6. Run gpupdate /force in command window to refresh the group policy.

B. Add the user right settings of logon.scr
=============================
1. Browse to %systemroot%\system32 and right-click on logon.scr. Then choose
Properties, switch to Security Tab and click Advanced.
2. Switch to Auditing, click Add and add proper groups or users(Such as
Administrator).
3. Double-click the proper groups or users, check Full Control in Successful
and Failed. And click OK to enable the auditing.

If you use your PDC to provide trusted time to all computers, restrict
acceptable time to be within 15min using a GPO, force a screen saver for all
PCs to lock after a certain a mount of time using a GPO, and limit the amount
of users that have administrative rights over the computers, then you should
be able to trust time and force a screen saver lock to generate an error.
One caveat: If the user manually locks their computer, then no event is
recorded. The screen saver MUST kick in first before the computer is locked
in order to generate the error.

 

[Jian-Ping Zhu [MSFT]]

Hello,

Thank you for the information sharing.

I agree that this is an acceptable workaround. However, as you said, if
users lock the computers manually, there is no way to record any security
logs of this operation.

If it is possible, I recommend you upgrade to Windows Vista for long term
consideration.

Thanks again for using newsgroup and hope you have a nice day.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.