Related Logon and Logoff events in Windows using Win32_NTLogEvent class

Question

I'm trying to get the login and logoff events from the Win32_NTLogEvent class. To do it, I'm using the following WMI query:

PATH Win32_NTLogEvent WHERE "(EventIdentifier = 4648 OR EventIdentifier = 4647 OR EventIdentifier = 4634) And TimeGenerated > '201811010000'" GET /ALL

The query is working fine and brings in response all the relevant logons and logoffs for me. The problem is: How can I relate both events? I mean, how can I link which logoff is linked with some logon event?

Analyzing the (not so clear) documentation for the events 4648 (logon attempt) and 4634 (An account was logged off), it looks like both has a linked Id, considering SubjectLogonId for 4648 event and TargetLogonId for 4634 event.

Considering these information, I'm parsing the returned events, getting the Ids from the InsertionStrings and trying to find the linked IDs, but I didn't find any.

Am I misunderstood something or I'm looking for the wrong information?

I tested it in Windows 10 and also in Windows Server 2012, but I'm looking for something that works in as many versions as possible.

Some background:

In short, I want to know the login/logoff times and session duration for some specific dates. I able to get the logon and logoff times for a specific user using the following WMI query (Win32_NetworkLoginProfile class):

PATH Win32_NetworkLoginProfile WHERE "Name='DOMAIN\\user'" GET LastLogon, LastLogoff

My intention with the first query is almost the same, but I want the info for all users without know each username. My best guess is the use of Win32_NTLogEvent class as described, but this is not mandatory.

Answer 1

You are attempting to use a 4648 Logon Attempt. This event only indicates an attempt was made and whether or not it was successful.

The event you should look for is 4624 "An account was successfully logged on.", and the Logon ID for that event will correlate with the Logon ID for the 4634 "An account was logged off."

To comment on your background statement of "LastLogon, LastLogoff", These values are updated in active directory on every Logon or Logoff, but no history is kept.

I know the WBEM interface has existed since Windows XP, I cannot find proof that your powershell queries will work on that platform, however, they should work without modification on Windows 7+, and Server 2008+.

Answer 2

In windows vista(or windows server 2008) and above this PowerShell command should do the trick

Get-WmiObject -Query "select Name, LastLogon, LastLogoff from Win32_NetworkLoginProfile WHERE {your logic here}"

However, if you want to use Win32_NTLogEvent class which supports Windows XP I think cannot be done, because of two reason

1. The EventIdentifier in that class specifies the meta-data about the event types which can be 1-5 which mean: Error, Warning, Information, Security Audit Success and Security Audit Failure. And you should look into EventCode which leads me to my second point

2. Two events from the same source may have the same value for this property but may have different severity and EventIdentifier values. For example, a successful logoff is recorded in the Security log with the Event ID 538. However, Event IDs are not necessarily unique. It is possible that, when retrieving Event ID 538, you can get other kinds of events with ID 538. If this happens, you might need to filter by the source as well as ID.

and finally, as you might have noticed auditing events(like 4648, 4647) supports Windows 10(or Windows Server 2016)