Windows 10: Audit Lock/Unlock events

Discus and support Audit Lock/Unlock events in AntiVirus, Firewalls and System Security to solve the problem; I know how to enable advanced auditing for other logon-logoff events in order to catch lock/unlocking of a Windows computer. See link for reference:... Discussion in 'AntiVirus, Firewalls and System Security' started by MarioVeras1, Aug 14, 2020.

  1. MARIOVERAS1
    MarioVeras1 Win User

    Audit Lock/Unlock events


    I know how to enable advanced auditing for other logon-logoff events in order to catch lock/unlocking of a Windows computer. See link for reference:


    https://docs.microsoft.com/en-us/pr...-and-2012/dn311470v=ws.11?redirectedfrom=MSDN


    However, I need to enable this through the registry instead of Group Policy or Local Policy. What Registry values do I need to change to enable these security audits?

    :)
     
    MarioVeras1, Aug 14, 2020
    #1
  2. HOMER_3
    homer_3 Win User

    Q about audit logs

    When setting up audit logging under Computer Configuration -> Windows Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> Audit Account Lockout, if I enable the Success option, how does this log get triggered? When
    an account is locked out, a failure event is fired under the Account Locked category. But when an account is unlocked, an event is fired under the User Account Management category. How would a successful account lockout event get fired? What would that even
    be?
     
    homer_3, Aug 14, 2020
    #2
  3. WAXEN
    Waxen Win User
    Windows 10: Scheduled tasks with workstation lock/unlock not being triggered

    I solved this by bypassing the "On Workstation Lock/Unlock" trigger types, and setting triggers to look at the windows event log directly.

    It's not ideal, but should be sustainable. Definitely still curious about why the triggers provided by Task Scheduler aren't working though.

    Configure Lock/Unlock Events

    By default, the lock/unlock events are not audited to the event log, you will need to enable logging of these events. You can do so from the group policy editor:

    and configuring the following category:

    (In the Explain tab it says "... allows you to audit ... Locking and unlocking a workstation".)

    Credit: https://stackoverflow.com/a/15904838/1216896

    Create Triggers

    From there, you can set up triggers to the 4800 (lock) and 4801 (unlock) events like so:


    Audit Lock/Unlock events Mnacw.png
     
    Waxen, Aug 14, 2020
    #3
  4. HYDRATE
    Hydrate Win User

    Audit Lock/Unlock events

    Unlocker programs

    It's always great to have multiple tools in your toolkit, hence why it is a toolkit.

    I prefer to use UnlockIT because it has a more advanced GUI that allows me to view all the .dll's and process hooks in the locked files.

    It also has more features that can be seen here: Feature List - UnLock IT
    The best of the best in my opinion, however, I would have both in my toolkit in the event UnlockIT cannot do the job for some strange reason (which it has not given any problems).
     
    Hydrate, Aug 14, 2020
    #4
Thema:

Audit Lock/Unlock events

Loading...

  1. Audit Lock/Unlock events - Similar Threads - Audit Lock Unlock

  2. Event 4625, Audit Failure Microsoft Windows Security Auditing

    in Windows 10 Gaming
    Event 4625, Audit Failure Microsoft Windows Security Auditing: Help, i got a blackscreen and then after i check event viewer, this what i gotAn account failed to log on.Subject: Security ID: SYSTEM Account Name: DESKTOP-PU3FI1A$ Account Domain: WORKGROUP Logon ID: 0x3E7Logon Type: 2Account For Which Logon Failed: Security ID: NULL SID...

  3. Event 4625, Audit Failure Microsoft Windows Security Auditing

    in Windows 10 Software and Apps
    Event 4625, Audit Failure Microsoft Windows Security Auditing: Help, i got a blackscreen and then after i check event viewer, this what i gotAn account failed to log on.Subject: Security ID: SYSTEM Account Name: DESKTOP-PU3FI1A$ Account Domain: WORKGROUP Logon ID: 0x3E7Logon Type: 2Account For Which Logon Failed: Security ID: NULL SID...

  4. Event 4625, Audit Failure Microsoft Windows Security Auditing

    in Windows 10 BSOD Crashes and Debugging
    Event 4625, Audit Failure Microsoft Windows Security Auditing: Help, i got a blackscreen and then after i check event viewer, this what i gotAn account failed to log on.Subject: Security ID: SYSTEM Account Name: DESKTOP-PU3FI1A$ Account Domain: WORKGROUP Logon ID: 0x3E7Logon Type: 2Account For Which Logon Failed: Security ID: NULL SID...

  5. Lots of completed Audits in Event Viewer

    in Windows 10 Gaming
    Lots of completed Audits in Event Viewer: Hello, i saw this in Event Viewer, is this normal? Its a lot it looks like but it could be normal but im not sure. https://answers.microsoft.com/en-us/windows/forum/all/lots-of-completed-audits-in-event-viewer/1c9b5edf-51a7-4199-9a46-c2d9034b3c86

  6. Understanding about Audit Logon Event

    in Windows 10 Gaming
    Understanding about Audit Logon Event: We recently have logs showing duplicate login/logout events of the user's account within seconds as well as Kerberos Ticket request. We can confirm that there is no physical user that is logging into the client machine. However, the logs are showing the logon events of the...

  7. Disable auditing of successful events

    in Windows 10 Performance & Maintenance
    Disable auditing of successful events: I want to disable auditing of successful events! This command worked (at least CMD said it did) Code: auditpol /Set /Caregory:* /success:disable I need to check in event log, if there are reported any longer successful events. Problem is: overall there are too many...

  8. Disable auditing of successful events

    in Windows 10 Performance & Maintenance
    Disable auditing of successful events: This command worked Code: auditpol /Set /Caregory:* /success:disable I need to check event log, if there are reported any longer successful events. Problem is overall: there are too many categories to check manually. I ran this command: Code: auditpol /Get /Category:* And it...

  9. Audit Failure reports in Event Viewer

    in Windows 10 Performance & Maintenance
    Audit Failure reports in Event Viewer: Since the PC upgraded to Windows 10 version 1803 build 17134.191, the event log on start up repeatedly gives the three different audit failures below. I have managed to clear all the other problems the event log has displayed but with these three I am at a lost as to the...

  10. Too Many 'Audit Success' Security-Auditing Events Happening

    in Windows 10 Performance & Maintenance
    Too Many 'Audit Success' Security-Auditing Events Happening: Hi! I've been using Windows 10 for a while now and except for one time where my start button and notification tray stopped working (solved that by migrating to a new user account), I haven't had any problems. Except maybe a week ago. Consistently during use (either for...