How can I get the latest shut downs/starts/logins/log-outs in Windows? Solved

  1.    #1

    How can I get the latest shut downs/starts/logins/log-outs in Windows?


    How can I get the latest shut downs/starts/logins/log-outs / unsucessful logins in Windows 10?

    I've read a few articles I found but I couldn't find a good answer.

    for example: I went to event viewer > security:
    I read that the eventID 4624 is a successful sign-in, which seems incorrect, look at this test:
    - I shut down my computer at 08:08:30
    - I started my computer at 08:10:39 (give or take 5 seconds)
    - I signed in at 08:12:10 (entered my password and hit enter)

    ...yet, at 08:10:39 I can see event 4624 registered, how's this possible if I signed in later at 08:12:10?

    any help much appreciated
      My ComputerSystem Spec

  2.    #2

    You need to check the user - if you look in "Friendly View" on the "Details" tab in Event Viewer this is the TargetUserName value.

    When you restart you'll get 4624 for many other users (System, Font Driver, Window Manager etc) before the 4624 messages for your user logon. I just did a reboot and got 74 4624 messages of which 3 were for different stages of my user logging on.

    You can also check the LogonType value - 7 is unlock for example - others values are here Windows Security Log Encyclopedia
      My ComputerSystem Spec

  3.    #3

    lx07 said: View Post
    You need to check the user - if you look in "Friendly View" on the "Details" tab in Event Viewer this is the TargetUserName value.

    When you restart you'll get 4624 for many other users (System, Font Driver, Window Manager etc) before the 4624 messages for your user logon. I just did a reboot and got 74 4624 messages of which 3 were for different stages of my user logging on.

    You can also check the LogonType value - 7 is unlock for example - others values are here Windows Security Log Encyclopedia
    Thanks for your answer. I checked by TargetUserName and still found several under the username (name@hotmail.co.uk) much before I actually logged in. I found one at 08:10:41, when I actually enter my password at 08:12:10.

    How can I search for this LogonType value - 7 is unlock? I couldn't find any such field.
      My ComputerSystem Spec

  4.    #4

    This is the field I meant :

    Click image for larger version. 

Name:	Capture.PNG 
Views:	0 
Size:	133.3 KB 
ID:	204247

    To query the event logs for type 7 I think you would need to use a script like this from an elevated powershell prompt :
    Code:
    # based on https://blogs.technet.microsoft.com/ashleymcglone/2015/08/31/forensics-automating-active-directory-account-lockout-search-with-powershell-an-example-of-deep-xml-filtering-of-event-logs-across-multiple-servers-in-parallel/
    # 43,200,000 below is 12 hours (12 hours * 60 minutes * 60 seconds * 1,000 milliseconds).
    
    $query = @"
    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">
            *[System[(EventID=4624)
            and TimeCreated[timediff(@SystemTime) &lt;= 43200000]]]
            and *[EventData[(Data[@Name='LogonType'] = '7')]] 
        </Select>
      </Query>
    </QueryList>
    "@
    
    $log=Get-WinEvent -FilterXml $query 
    
    foreach ($i in $log){
      Write-Host $i.TimeCreated -noNewLine
      Write-Host ' Id :', $i.Id -noNewLine
      Write-Host ' TargetUserName :', $i.Properties[5].value -noNewLine
      Write-Host ' TargetDomainName :', $i.Properties[6].value -noNewLine
      Write-Host ' LogonType : ', $i.Properties[8].value
    }
    This script does last 12 hours (43,200,000 milliseconds) but you can change it.
      My ComputerSystem Spec

  5. Brink's Avatar
    Posts : 37,932
    64-bit Windows 10 Pro build 18865
       #5

    Hello Antonio,

    I hope this may help with the shut down and restart logs.

    Read Shutdown Logs in Event Viewer in Windows | Windows 10 Tutorials

    For logoff and sign out logs:

    How to Read Logoff and Sign Out Logs in Event Viewer in Windows

    Here is some more info for logon event ID's that may help:

    Audit Logon (Windows 10) | Microsoft Docs

    Audit Other Logon/Logoff Events (Windows 10) | Microsoft Docs
    Last edited by Brink; 16 Sep 2018 at 13:15. Reason: new tutorial
      My ComputersSystem Spec

  6.    #6

    Thank you lx07 this works like a charm, and Brink too, great help!
      My ComputerSystem Spec

  7. Brink's Avatar
    Posts : 37,932
    64-bit Windows 10 Pro build 18865
       #7

      My ComputersSystem Spec


 

Related Threads
Solved BSODs and now shut downs outside of BIOS in BSOD Crashes and Debugging
Here is the timeline of events, I have no idea what happened or how it got to this point. I could really use a hand, I have assignments to focus on :( My gaming rig begins to crash a few minutes after logon each time, I am thinking it might...
Diagnosing random shut downs in Drivers and Hardware
My in-laws PC, which I built for them, has recently started to shut down on it's own. They also claim that sometimes it will not boot up. I have it back at my house, and it seems to be running fine. I let it run overnight, ran it through some...
PC frequest forced shut downs in BSOD Crashes and Debugging
"Your PC ran into a problem" error message and shuts down my computer. Happens about once and hour. Please help
Windows 10 several unexpected shut downs in BSOD Crashes and Debugging
Hi all, attached is my PC. I am having a reoccurring problem with my PC where it displays a blue screen after giving me no indication of a problem. One error message in the blue screen is "kmode exception_not handled (bwcW8x64.sys)". When I look at...
Unexected shut-downs in General Support
Two or three weeks ago when the computer goes into hibernation, when I come back later, I find the computer has shut-down. When you press the power button it shows the Dell logo and about half of the start-up activity bar hung-up. When I press the...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 21:14.
Find Us