How to view who logged on to a Windows 10 computer

Page 2 of 2 FirstFirst 12

  1. Posts : 17,041
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #11

    selim said:
    Denis, this is better than what I could find but it's not perfect. I am basically trying to find out the list of users who logged on to this computer. Event viewer shows System logins too, so you have to scroll down to see real human logins, I wish Microsoft would have a unique Event ID for real human logons, so that I could filter the result.
    Try3 said:
    The Custom view definition I provided does not show System logins and it does not include EventID 4624.
    I've since provided an improved version of the Custom view in #6 of that other thread its OP has confirmed that it provides a manageable list of logons-logoffs
    Try3 said:
    That's all I get in that reduced Custom view.
    1 entry at each real user logoff
    2 entries at each real user logon [and I could not reduce that because they are both EventID 5]

    The non-reduced Custom view definition listed
    3 entries at each real user logoff
    5 entries at each real user logon


    And I agree that
    provides an even more concise listing.
    You might want to adjust its Options, Advanced options settings.


    All the best,
    Denis
      My Computer


  2. Posts : 16
    Windows 10
    Thread Starter
       #12

    Thanks, but this shows only current user. I need to see history of logons.
      My Computer


  3. Posts : 69,697
    64-bit Windows 11 Pro for Workstations
       #13

    selim said:
    Hi there!

    I have a Windows 10 computer that a few users remotely login to it to use an application.
    I am trying to find out how often they are logging in to it.

    To find out:
    I go to Event Viewer - Windows Logs - Security and filter the log with 4624 which is the Event ID for Logons

    I can see the user login but unfortunately, it logs bunch of SYSTEM logons too under this Event ID.

    Is there a way to display only the real users not SYSTEM?

    New Logon:
    Security ID: domain\userName
    Account Name: userName


    I appreciate any help!

    Thanks!

    PS: Windows 10 - Version 22H2
    Hello Selim,

    The EventID of Remote Desktop Services is 1149. You can try to filter with this ID in Event Viewer to get more specific results.

    Navigate to Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager > Operational. Right-click Operational and choose Filter Current Log.
      My Computers


  4. Posts : 16
    Windows 10
    Thread Starter
       #14

    Try3 said:
    I've since provided an improved version of the Custom view in #6 of that other thread its OP has confirmed that it provides a manageable list of logons-logoffs



    And I agree that

    provides an even more concise listing.
    You might want to adjust its Options, Advanced options settings.


    All the best,
    Denis
    Like I said before, it's a shorter list but still system logins exist. Here's a screenshot.
    How to view who logged on to a Windows 10 computer-screenshot-2023-03-24-135022.jpg
      My Computer


  5. Posts : 9,781
    Mac OS Catalina
       #15

    That is all that it will show for logins as already stated. You are not going to see third party logins if they are not installed on the OS as allowed user sign-ons.
      My Computer


  6. Posts : 17,041
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #16

    selim said:
    Like I said before, it's a shorter list but still system logins exist. Here's a screenshot.
    How to view who logged on to a Windows 10 computer-screenshot-2023-03-24-135022.jpg
    That is not a System login.
    It is a login of the user named in the redacted section
    How to view who logged on to a Windows 10 computer-screenshot-2023-03-24-135022.jpg


    Denis
      My Computer


  7. Posts : 1,888
    Windows 10 Pro (+ Windows 10 Home VMs for testing)
       #17

    AFAIK, the full list of logon types is:

    Interactive (Logon Type 2)
    Network (Logon Type 3)
    Batch (Logon Type 4)
    Service (Logon Type 5)
    Unlock (Logon Type 7)
    Network Cleartext (Logon Type 8)
    NewCredentials (Logon Type 9)
    RemoteInteractive (Logon Type 10)
    CachedInteractive (Logon Type 11)

    Instead of filtering out Service logons (type 5) by System, you could perhaps filter for remote interactive logons (type 10).

    1. Right-click on Start, select Windows PowerShell (Admin).

    2. Copy/paste/enter the following query:
    Code:
    Get-WinEvent -ProviderName 'Microsoft-Windows-Security-Auditing' -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='LogonType']='10']]"

    I don't have a way of showing the results for remote interactive logons (type 10) but if I filter for local interactive logons (type 2) then I get results like this:

    How to view who logged on to a Windows 10 computer-logged_on.png

    The problem is... I can find no method of including a 'username' in the returned results (nor do I know why each logon appears multiple times).
      My Computer


  8. Posts : 17,041
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #18

    Try3 said:
    I have worked on a further reduction in entries.
    This newly-revised Custom view only shows a single entry for each logon and a single entry for each logoff.
    User log on-off - reduced more.zip
    The entries are
    Logon

    Logoff

    All the best,
    Denis
      My Computer


  9. Posts : 840
    Windows 7
       #19

    I was sad that das10 removed his previous reply, linking to The PoSh Wolf's article: Finding remote or local login events and types using PowerShell. That PowerShell approach using "Get-WinEvent -FilterHashtable" was worth following.

    Some of my general observations:

    1. Event ID 4624 doesn't just record logons, more like every instance where logon credentials are presented on behalf of Windows processes, for example: winlogon.exe, svchost.exe and consent.exe.

    2. Filtering out TargetDomainName not matching ComputerName, removes all the non-user Windows services like DWM and the Font Manager.

    3. Filtering out ProcessName matching consent.exe, removes all the UAC elevation requests.

    4. Tracking LogonType Network (3) isn't needed, since it always proceeds RemoteInteractive (10).

    5. Event 4624 for logon sessions creates a pair of LogonID's, with the latter ID actually tracked and matched on the corresponding logout event.

    6. PowerShell 5 support for -FilterHashtable constructs is limited. SuppressHashFilter isn't available, so you have to add your own object filtering. Performance for the PS5-only version is very slow, but PS7 runs either script version very fast like it's better optimized for it.

    7. FilterHashtable is ridiculously simple to write. There's no learning curve unlike XPath where you're expected to know the underlying data structure's classes.

    8. WinLogOnView provides us similar results, but what's the fun in not learning how to write our own code?


    For those who enjoy coding, I present my extension on PoSh Wolf's script. In both PS5- and PS7-compatible formats, as noted the PS7 version runs very fast. But in the end, we didn't answer the OP's question. Knowing when someone is online and for how long doesn't confirm if they're running a specific program.

    To solve that problem, we need to enable Audit process tracking. Then change the current script to track Process Creation and Termination events, based on the logged ProcessName.

    How to view who logged on to a Windows 10 computer-capture.png

    The code mostly works, but I'm sure someone can improve on it.


    The two LogonSession.ps1 scripts don't require any arguments, but do need to run as Administrator. TrackUsage.ps1 requires a single argument of the program name you're trying to search for. This provides a better idea of exactly when users are running a given app.

    powershell -f PS5_LogonSession.ps1
    pwsh -f PS7_LogonSession.ps1

    powershell -f TrackUsage.ps1 appname.exe
    How to view who logged on to a Windows 10 computer Attached Files
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 07:29.
Find Us




Windows 10 Forums