windowseventsauthenticationwmilogoff

Related Logon and Logoff events in Windows using Win32_NTLogEvent class

I'm trying to get the login and logoff events from the Win32_NTLogEvent class. To do it, I'm using the following WMI query:

PATH Win32_NTLogEvent WHERE "(EventIdentifier = 4648 OR EventIdentifier = 4647 OR EventIdentifier = 4634) And TimeGenerated > '201811010000'" GET /ALL

The query is working fine and brings in response all the relevant logons and logoffs for me. The problem is: How can I relate both events? I mean, how can I link which logoff is linked with some logon event?

Analyzing the (not so clear) documentation for the events 4648 (logon attempt) and 4634 (An account was logged off), it looks like both has a linked Id, considering SubjectLogonId for 4648 event and TargetLogonId for 4634 event.

Considering these information, I'm parsing the returned events, getting the Ids from the InsertionStrings and trying to find the linked IDs, but I didn't find any.

Am I misunderstood something or I'm looking for the wrong information?

I tested it in Windows 10 and also in Windows Server 2012, but I'm looking for something that works in as many versions as possible.

Some background:

In short, I want to know the login/logoff times and session duration for some specific dates. I able to get the logon and logoff times for a specific user using the following WMI query (Win32_NetworkLoginProfile class):

PATH Win32_NetworkLoginProfile WHERE "Name='DOMAIN\\user'" GET LastLogon, LastLogoff

My intention with the first query is almost the same, but I want the info for all users without know each username. My best guess is the use of Win32_NTLogEvent class as described, but this is not mandatory.

Solution

  • You are attempting to use a 4648 Logon Attempt. This event only indicates an attempt was made and whether or not it was successful.

    The event you should look for is 4624 "An account was successfully logged on.", and the Logon ID for that event will correlate with the Logon ID for the 4634 "An account was logged off."

    To comment on your background statement of "LastLogon, LastLogoff", These values are updated in active directory on every Logon or Logoff, but no history is kept.

    I know the WBEM interface has existed since Windows XP, I cannot find proof that your powershell queries will work on that platform, however, they should work without modification on Windows 7+, and Server 2008+.