windows 8 - Win8 Event Viewer

07
2014-07
  • Harold

    I recently followed the answer on this site "Uninstalled Programs History...".

    That opened several hours of experimentation with Event Viewer.

    My question; Why are there many installed programs (Many are games) that do not appear in Event Viewer?

    • Answers
  • techie007

    It's because the answer you saw is regarding showing you events logged by the MSIInstaller service.

    This is the 'usual' Windows installer system, but it's not the only way to install programs.

    Some/many programs use their own installer, or none at all.

    Those ones may or may not write events, depending on if the author programmed it to or not.


    • Related Question

    windows 7 - How can I use Event Viewer to confirm login times filtered by User?
  • 5arx

    I'm required to log my start and finish times at work. Occasionally I forget to do this and had a bright idea that checking the Security events log would allow me to retrospectively ascertain my times.

    Unfortunately, the logs are much bigger than I thought and take a while even to display in Event Viewer. Also, I tried filtering the logs by date and userid but so far this has yielded no results.

    Assuming my idea is feasible, can anyone step-through what I'd need to do to retrieve the information I need?

    UPDATE:

    I followed @surfasb 's instructions and got the to point where I can see only the logins, however some of these are System-level (i.e. non-human) logins. I would like to see only my 'physical' logins (there would only be two or three such events on weekdays) and not all the other stuff.

    I've tried putting my Windows username in the field as shown below using both domain\username and just username but this just filters out everything. Can you assist?

    enter image description here


    • Related Answers
  • surfasb

    The default configuration makes it rather messy. This is because Windows also tracks anytime you have to login to network computers. It also tracks everytime your computer account, not the user account, creates a login session.

    You should use the audit account logon option and not the audit logon option.

    The events you are looking for will have your account's Fully Qualified Domain Name. For example, if you are not on a domain, the search text you are looking for is computer_name / account_name.

    edit

    Another idea is to create login and logoff scripts. Depending on your edition of Windows 7, you can use gpedit.msc to bring up the Group Policy Console.

    Then you'll just need a batchfile that has the command logevent "My login/logoff event" -e 666. This event will show up in the Application Log

    edit

    This will be easier if you are not on a domain. If you go under Local Security / Local Policies / Security options, look for the "Force Audit..." option. I forgot the name of it. But disable it. That will make the Security logs less verbose, since a user logging in at the console, in some cases, share the same Event ID . Some Event IDs you want to look for:

    • Event 4647 - this is when you hit the logoff, restart, shutdown button. Windows update restarting your computer also sometimes sets off this event :(
    • Event 4648 - this is when a process(which includes the login screen) uses your explicit credentials, rather than say a token, to login. This includes the Runas command and a lot of times, backup programs.
    • Event 4800 - When your workstation is locked, like pressing WIN + L
    • Event 4801 - When your workstation is unlocked

    Generally, you can get by using events 4647 and 4648. Unfortunately there isn't a sure fire method since there are a thousand things that happen when you login and logoff your computer.

    For that it is worth, at work, we look for the login script to fire and at logoff, there are two programs as well as a sync event we look for as sure fire events.

  • celicni

    I've had the same problem, and managed to solve it using these steps:

    A: Install MyEventViewer (freeware) and open the events list in this program.

    Unfortunately, I haven't found how to filter the events by description (and the description is where is login name stored) in MyEventViewer, but at least but it displays the description in the main table.

    B: Export this table to log1.txt

    C: Use some advanced text search program to extract login times for given user.

    I used grep.

    This is the format of exported events:

    Log Type : Security

    Event Type : Audit Success

    Time : 10.12.2012 18:33:24

    Event ID : 680

    User Name : SYSTEM

    Computer : YYY

    Event Description : Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: XXX Source Workstation: YYY Error Code: 0x0

    ==================================================

    ==================================================

    First extract all logon atempts by user XXX.

    $ grep -B 4 "Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: XXX" log1.txt > log2.txt

    This will filter the logon attempts by user XXX and print it to log2.txt. -B 4 grep option is needed because the info we're looking for (login time) is stored 4 lines above the line that contains the pattern we're looking for (username).

    D: Extract login times from log2.txt

    $ grep "Time" log2.txt > log3.txt

    Now log3.txt lists all login times for given user:

    Time : 10.12.2012 14:12:32

    Time : 7.12.2012 16:20:46

    Time : 5.12.2012 19:22:45

    Time : 5.12.2012 18:57:55

    Simpler solution probably exists but I've been unable to find it, so this had to do the trick for me.