Note: See these articles Enable logon and logoff events via GPO and Logon and Logoff events
First, we need a general algorithm.
Use time (for a given logon session) = Logoff time – Logon time
Now, what about the cases where the user powers off the machine, or it bluescreens, or a token leak prevents the logoff event from being generated, etc.? We can use the BEGIN_LOGOFF event to handle token leak cases. We can use the shutdown event in cases where the user does not log off. And in case of crashes, the only event we can use is the startup event. Note that each of these introduces increasing levels of uncertainty.
Logoff time = (logoff time | begin_logoff time | shutdown time | startup time)
This is good, but what about the time the workstation was locked?
Workstation lock time = unlock time – lock time
Total workstation lock time (for a given logon session) = SUM(workstation lock time)
How about remote desktop & terminal server sessions, and fast user switching? You can connect and disconnect from logon sessions, during which time the user technically isn’t using the computer.
Session idle time = session connect time – session disconnect time
Total session idle time (for a given logon session) = SUM(session idle time)
How about times when the machine was idle? We can estimate that by looking at the time the screen saver was in place and adding the screen saver timeout.
Console idle time = (screen saver dismiss time – screen saver invoke time + screen saver delay)
Total console idle time = SUM(console idle time)
Putting all of this together and modifying our original formula, we get:
Use time (for a given logon session) =
Logoff time – logon time
– SUM(workstation lock time)
– SUM(session idle time)
– SUM(console idle time)
When we expand it, it is not quite so pretty:
Use time (for a given logon session) =
( (logoff time | begin_logoff time | shutdown time | startup time) – logon time )
– SUM(unlock time – lock time)
– SUM(session connect time – session disconnect time)
– SUM(screen saver dismiss time – screen saver invoke time + screen saver delay)
You have to be very careful that you only look at events that are properly contained chronologically between two other appropriate events, to avoid accidentally pairing the wrong logon and logoff events, or pairing a lock workstation event from one logon session with a different logon session. The best correlation field is the Logon ID field, the next best are timestamp and user name. At various times you need to examine all of these fields.
The following list displays the various Event IDs which are useful for user’s logon activity analysis.
4608 STARTUP
4609 SHUTDOWN
4624 LOGON
4634 LOGOFF
4647 BEGIN_LOGOFF
4778 SESSION_RECONNECTED
4779 SESSION_DISCONNECTED
4800 WORKSTATION_LOCKED
4801 WORKSTATION_UNLOCKED
4802 SCREENSAVER_INVOKED
4803 SCREENSAVER_DISMISSED
Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
Thanks,
Morgan
Software Developer