How can I get the latest shut downs/starts/logins/log-outs in Windows?

How can I get the latest shut downs/starts/logins/log-outs / unsucessful logins in Windows 10?

I've read a few articles I found but I couldn't find a good answer.

for example: I went to event viewer > security:
I read that the eventID 4624 is a successful sign-in, which seems incorrect, look at this test:
- I shut down my computer at 08:08:30
- I started my computer at 08:10:39 (give or take 5 seconds)
- I signed in at 08:12:10 (entered my password and hit enter)

...yet, at 08:10:39 I can see event 4624 registered, how's this possible if I signed in later at 08:12:10?

any help much appreciated

You need to check the user - if you look in "Friendly View" on the "Details" tab in Event Viewer this is the TargetUserName value.

When you restart you'll get 4624 for many other users (System, Font Driver, Window Manager etc) before the 4624 messages for your user logon. I just did a reboot and got 74 4624 messages of which 3 were for different stages of my user logging on.

You can also check the LogonType value - 7 is unlock for example - others values are here Windows Security Log Encyclopedia

lx07 said:

You need to check the user - if you look in "Friendly View" on the "Details" tab in Event Viewer this is the TargetUserName value.

When you restart you'll get 4624 for many other users (System, Font Driver, Window Manager etc) before the 4624 messages for your user logon. I just did a reboot and got 74 4624 messages of which 3 were for different stages of my user logging on.

You can also check the LogonType value - 7 is unlock for example - others values are here Windows Security Log Encyclopedia

Thanks for your answer. I checked by TargetUserName and still found several under the username (name@hotmail.co.uk) much before I actually logged in. I found one at 08:10:41, when I actually enter my password at 08:12:10.

How can I search for this LogonType value - 7 is unlock? I couldn't find any such field.

This is the field I meant :



To query the event logs for type 7 I think you would need to use a script like this from an elevated powershell prompt :

Code:

# based on https://blogs.technet.microsoft.com/ashleymcglone/2015/08/31/forensics-automating-active-directory-account-lockout-search-with-powershell-an-example-of-deep-xml-filtering-of-event-logs-across-multiple-servers-in-parallel/
# 43,200,000 below is 12 hours (12 hours * 60 minutes * 60 seconds * 1,000 milliseconds).

$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
        *[System[(EventID=4624)
        and TimeCreated[timediff(@SystemTime) &lt;= 43200000]]]
        and *[EventData[(Data[@Name='LogonType'] = '7')]] 
    </Select>
  </Query>
</QueryList>
"@

$log=Get-WinEvent -FilterXml $query 

foreach ($i in $log){
  Write-Host $i.TimeCreated -noNewLine
  Write-Host ' Id :', $i.Id -noNewLine
  Write-Host ' TargetUserName :', $i.Properties[5].value -noNewLine
  Write-Host ' TargetDomainName :', $i.Properties[6].value -noNewLine
  Write-Host ' LogonType : ', $i.Properties[8].value
}

This script does last 12 hours (43,200,000 milliseconds) but you can change it.

Thank you lx07 this works like a charm, and Brink too, great help!