Refer this article Tracking User Logon Activity using Logon and Logoff Events to know about how to track user’s logon duration from logon 4624 and logoff 4634 events.
Summary:
- Event ID 4634 Log Source
- How to enable Logoff event 4634 through Group Policy
- How to enable Logoff event 4634 using Auditpol
- How to stop/disable logoff event 4634
Event ID 4634 Log Source
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/5/2013 2:28:53 PM Event ID: 4634 Task Category: Logoff Level: Information Keywords: Audit Success User: N/A Computer: myPC.myDomain.com Description: An account was logged off. Subject: Security ID: SYSTEM Account Name: myPC$ Account Domain: myDomain Logon ID: 0x1F759B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
How to enable Logoff event 4634 through Group Policy
1. Open Group Policy Management Console by running the command gpmc.msc
2. Expand the domain node, then right-click on the Default Domain Policy, and click Edit option
3. Expand the Computer Configuration node, go to the node Audit Policy(Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).
4. Navigate to the right side pane, select the policy Audit logon events, and set the success audit value.
5. In Windows 7/Server 2008 R2 and later versions, you can enable Event ID 4634 also through Advanced Audit Policy Configuration. Expand the Computer Configuration, and go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)
6. Expand this node, go to Logon/Logoff (Audit Polices-> Logon/Logoff ), then select the Setting
Audit Logoff, and set its value as Success
8. Run the command GPUpdate /force to apply this setting in all the all the Computers
How to enable Logoff Event ID 4634 using Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable audit Event ID 4634 by using the following command
Auditpol /set /subcategory:"Logoff" /success:enable
How to stop/disable Event ID 4634
You can disable success audit Event ID 4634 by using the following command
Auditpol /set /subcategory:"Logoff" /success:disable
You can also stop this event by removing the success setting from the GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Polices->Logon/Logoff->Audit Logoff.
Note: You need to refresh/update GPO for every change by running the command GPUpdate/force.
Note : This article is applies to Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
Thanks,
Morgan
Software Developer