Read Logoff and Sign Out Logs in Event Viewer in Windows  

    Read Logoff and Sign Out Logs in Event Viewer in Windows

    Read Logoff and Sign Out Logs in Event Viewer in Windows

    How to Read Logoff and Sign Out Logs in Event Viewer in Windows
    Published by Category: Performance & Maintenance
    19 Apr 2022
    Designer Media Ltd



    How to Read Logoff and Sign Out Logs in Event Viewer in Windows


    When a user logs off (sign out) of Windows, all of the apps you were using are closed, but the PC isn't turned off. Another person can log in (sign in) without needing to restart the PC.

    You can use Event Viewer to view the date, time, and user details of all logoff events caused by a user initiated logoff (sign out).

    This tutorial will show you how to view the date, time, and user details of all user initiated logoff and sign out event logs in Windows 7, Windows 8, and Windows 10.



    Here's How:

    1 Press the Win + R keys to open Run, type eventvwr.msc into Run, and click/tap on OK to open Event Viewer.

    2 In the left pane of Event Viewer, open Windows Logs and Security, right click or press and hold on Security, and click/tap on Filter Current Log. (see screenshot below)

    If you have already filtered this log, click/tap on Clear Filter first and then click/tap on Filter Current Log to start over fresh.


    Read Logoff and Sign Out Logs in Event Viewer in Windows-user_initiated_logoff_event_logs-1.jpg

    3 Enter the 4647 event ID into the <All Event IDs> field, and click/tap on OK. (see screenshot below)

    Read Logoff and Sign Out Logs in Event Viewer in Windows-user_initiated_logoff_event_logs-2.png

    4 You can now view the details of user initiated logoff event logs. (see screenshot below)

    Read Logoff and Sign Out Logs in Event Viewer in Windows-user_initiated_logoff_event_logs-3.jpg

    5 When finished viewing log details, you can close Event Viewer if you like.


    That's it,
    Shawn Brink






  1. Posts : 16
    Windows 10 21H2 x64
       #1

    Hi Brink,
    Just a quick typo correction on this one. Step 2 indicates that the user/admin should access the Windows "System" log to filter for Logoff events. The images however show the "Security" log. The images are correct, Logoff events are in the security log. I think Step 2 needs to be corrected to say "Security" instead of "System". Thanks!
      My Computer


  2. Posts : 66,512
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #2

    bumgarb42 said:
    Hi Brink,
    Just a quick typo correction on this one. Step 2 indicates that the user/admin should access the Windows "System" log to filter for Logoff events. The images however show the "Security" log. The images are correct, Logoff events are in the security log. I think Step 2 needs to be corrected to say "Security" instead of "System". Thanks!
    Thank you. Now corrected.
      My Computers


  3. Posts : 15,954
    Windows 10 Home x64 Version 22H2 Build 19045.3324
       #3

    Don't we have to enable security auditing before we can see these events?
    vistascape post #6 - TenForums
    Understating Guide of Windows Security Policies and Event Viewer - HackingArticles

    All the best,
    Denis
      My Computer


  4. Posts : 66,512
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #4

    Try3 said:
    Don't we have to enable security auditing before we can see these events?
    vistascape post #6 - TenForums
    Understating Guide of Windows Security Policies and Event Viewer - HackingArticles

    All the best,
    Denis
    Hello Denis,

    I didn't have to for these event logs.
      My Computers


  5. Posts : 17,908
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #5

    Hello @Brink,

    I have just put this Script together as an alternative. It outputs ALL the WinEvent ID 4647 entries to the Console, along with the Total number of WinEvent ID 4647 entries . . .

    Code:
    
    if not "%1"=="max" start /max cmd /c %0 max & Exit /b
    :: ##############################################################################################################
    :: # Title     : List ALL 'Logoff' and 'Sign Out' Entries for WinEvent ID 4647                                  #
    :: # Created By: Paul Black [ https://www.tenforums.com/members/paul-black.html ]                               #
    :: # Created On: 22-Sep-2022                                                                                    #
    :: # Tutorial  : https://www.tenforums.com/tutorials/117980-read-logoff-sign-out-logs-event-viewer-windows.html #
    :: ##############################################################################################################
    Title WinEvent ID
    set "Security=Security"
    set "WinEvent_ID=4647"
    set "Title=WinEvent ID [%WinEvent_ID%]"
    set "OUT=%Temp%\OUT.log"
    if exist %OUT% (del /f /q %OUT% >nul 2>&1)
    echo. & echo Processing . . .
    echo. & echo =====================================================================================================================================================================
            echo %Title%:-
            echo =============================================================================== START ===============================================================================& echo.
    >> %OUT%     PowerShell "Get-WinEvent -FilterHashtable @{LogName='%Security%'; Id=%WinEvent_ID%} -ErrorAction 'SilentlyContinue' | Format-Table ProviderName, TimeCreated, RecordID, LevelDisplayName, Id, Message -Autosize"
                 findstr /rc:"[^ <Tab>]" %OUT% & del %OUT%
    echo. & echo =====================================================================================================================================================================
                 PowerShell "'Total Entries for WinEvent ID [%WinEvent_ID%]: ' + (Get-WinEvent -FilterHashtable @{LogName='%Security%'; Id=%WinEvent_ID%} -ErrorAction 'SilentlyContinue').Count"
            echo ================================================================================ EOF ================================================================================
    echo. & echo Processing Complete.
    echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit
    
    
    

    I hope that this is useful.
    Last edited by Paul Black; 23 Sep 2022 at 08:15.
      My Computer


  6. Posts : 66,512
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #6

      My Computers


  7. Posts : 15,954
    Windows 10 Home x64 Version 22H2 Build 19045.3324
       #7

    I must have made a mistake before. I've just checked again and I'm seeing EventIDs 4647 after all.

    Denis
      My Computer


  8. Posts : 17,908
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #8

    Brink said:
    You are VERY welcome as always.
      My Computer


  9. Posts : 17,908
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #9

    Hello @Brink,

    For anybody wanting to output the results to the Desktop, then use this . . .

    Code:
    
    @echo off
    :: ##############################################################################################################
    :: # Title     : List ALL 'Logoff' and 'Sign Out' Entries for WinEvent ID 4647                                  #
    :: # Created By: Paul Black [ https://www.tenforums.com/members/paul-black.html ]                               #
    :: # Created On: 22-Sep-2022                                                                                    #
    :: # Tutorial  : https://www.tenforums.com/tutorials/117980-read-logoff-sign-out-logs-event-viewer-windows.html #
    :: ##############################################################################################################
    Title WinEvent ID
    for /f "tokens=*" %%a in ('"PowerShell (New-Object -ComObject WScript.Shell).SpecialFolders(4)"') do (set "Desktop=%%a")
    if not exist "%Desktop%" (set "Desktop=%Desktop:~1%")
    set "Security=Security"
    set "WinEvent_ID=4647"
    set "Title=WinEvent ID [%WinEvent_ID%]"
    set "LOG=WinEvent_ID_%WinEvent_ID%.log"
    set "OFN=%Desktop%\%LOG%"
    set "OUT=%Temp%\OUT.log"
    if exist %OFN% (del /f /q %OFN% >nul 2>&1)
    if exist %OUT% (del /f /q %OUT% >nul 2>&1)
    echo. & echo  Processing . . .
    >> %OFN% echo.
    >> %OFN% echo =====================================================================================================================================================================
    >> %OFN% echo %Title%:-
    >> %OFN% echo =============================================================================== START ===============================================================================& >> %OFN% echo.
    >> %OUT%      PowerShell "Get-WinEvent -FilterHashtable @{LogName='%Security%'; Id=%WinEvent_ID%} -ErrorAction 'SilentlyContinue' | Format-Table ProviderName, TimeCreated, RecordID, LevelDisplayName, Id, Message -Autosize | Out-String -Width 1000"
                  findstr /rc:"[^ <Tab>]" %OUT% >> %OFN% & del %OUT% & >> %OFN% echo.
    >> %OFN% echo =====================================================================================================================================================================
    >> %OFN%      PowerShell "'Total Entries for WinEvent ID [%WinEvent_ID%]: ' + (Get-WinEvent -FilterHashtable @{LogName='%Security%'; Id=%WinEvent_ID%} -ErrorAction 'SilentlyContinue').Count"
    >> %OFN% echo ================================================================================ EOF ================================================================================
            echo  Processing Complete.
    echo. & echo  A [%LOG%] file has been created on the Desktop.
    echo. & echo ^>Press ANY key to EXIT . . . & pause >nul & Exit
    
    
    

    I hope this is useful.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 01:59.
Find Us




Windows 10 Forums