• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Looking for an app to detect windows locks/unlocks

Basically, I have an employee who is constantly locking their computer and leaving for several minutes and coming back and unlocking their computer. Normally we don't care, but the frequency is getting extreme, and before we approach him about it, we want to find out how many times he does this per day and how long he's away. I've tested some keyloggers, but they only record the keystrokes leading up to the lock.

So if the user presses Windows key + L to lock the computer, the keyloggers will only record the Windows key. Or if they use Ctrl+Alt+Del to get into the menu where they can lock the computer, the keylogger will only see the Ctrl+Alt, but no Del. And when the computer is unlocked, there's no record of the Ctrl+Alt+Del combo to initiate the unlocking. So does anyone know of a key logging program or something that will just monitor the locks and unlocks of a workstation? Obviously, it would have to be a stealthy program to avoid detection.

2 Solutions
How about a utility that parses the event log for Account Lockout events? I use GFI's Event Log Monitor.
Just out of curiosity, why exactly is this a problem?  Surely you'd want to encourage users locking their desktops while they're not at their computers?  (Just curiosity really)

Right, now that I've got it out of the way, what you want to be doing is first ensuring that these events are logged.  Fire up your Group Policy editor, and expand:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policies

Turn on Success and Failure events under "Audit logon events"  (if you already have a domain wide policy in place its all good)

You'll see events 528 and 538 logged in your system's Security log.  Now that's for all logons, so to narrow it down you want to be looking at the Logon type - 7's the magic number here.  Basically, you just want to parse the logfile on the machine, and pull out all 528/538s, and then count the number with logon type 7.  

Let me know if you want a Logparser query that will give you a handy little report with number per day etc.  (I'm just leaving for home noe, so I can only get to it tomorrow morning)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now