Wednesday, 9 October 2013

Tracking User Logon Activity using Logon and Logoff Events

We can track the user's Logon Activity using Logon and Logoff Events - (4624, 4634) by mapping logon and logoff event with user's Logon ID which is unique between user's logon and logoff .

Note: See these articles Enable logon and logoff events via GPO and Logon and Logoff events

First, we need a general algorithm.

Use time (for a given logon session) = Logoff time - Logon time

Now, what about the cases where the user powers off the machine, or it bluescreens, or a token leak prevents the logoff event from being generated, etc.?  We can use the BEGIN_LOGOFF event to handle token leak cases.  We can use the shutdown event in cases where the user does not log off.  And in case of crashes, the only event we can use is the startup event.  Note that each of these introduces increasing levels of uncertainty.

Logoff time = (logoff time | begin_logoff time | shutdown time | startup time)

This is good, but what about the time the workstation was locked?

Workstation lock time = unlock time - lock time
Total workstation lock time (for a given logon session) = SUM(workstation lock time)

How about remote desktop & terminal server sessions, and fast user switching?  You can connect and disconnect from logon sessions, during which time the user technically isn't using the computer.

Session idle time = session connect time - session disconnect time
Total session idle time (for a given logon session) = SUM(session idle time)

How about times when the machine was idle?  We can estimate that by looking at the time the screen saver was in place and adding the screen saver timeout.

Console idle time = (screen saver dismiss time - screen saver invoke time + screen saver delay)
Total console idle time = SUM(console idle time)

Putting all of this together and modifying our original formula, we get:

Use time (for a given logon session) =
   Logoff time - logon time
      - SUM(workstation lock time)
      - SUM(session idle time)
      - SUM(console idle time)

When we expand it, it is not quite so pretty:

Use time (for a given logon session) =
   ( (logoff time | begin_logoff time | shutdown time | startup time) - logon time )
      - SUM(unlock time - lock time)
      - SUM(session connect time - session disconnect time)
      - SUM(screen saver dismiss time - screen saver invoke time + screen saver delay)

You have to be very careful that you only look at events that are properly contained chronologically between two other appropriate events, to avoid accidentally pairing the wrong logon and logoff events, or pairing a lock workstation event from one logon session with a different logon session.  The best correlation field is the Logon ID field, the next best are timestamp and user name.  At various times you need to examine all of these fields.

The following list displays the various Event IDs which are useful for user's logon activity analysis.

4608  STARTUP
4609  SHUTDOWN
4624  LOGON
4634  LOGOFF
4647  BEGIN_LOGOFF
4778  SESSION_RECONNECTED
4779  SESSION_DISCONNECTED
4800  WORKSTATION_LOCKED
4801  WORKSTATION_UNLOCKED
4802  SCREENSAVER_INVOKED
4803  SCREENSAVER_DISMISSED

Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

1 comment:

  1. Hi,

    Do you have a PowerShell script that does all this?

    ReplyDelete