Eventviewer eventid for lock and unlock

Question

What is the event id in Event Viewer for lock, unlock for a computer in Windows XP, Windows 7, Windows Vista and Windows Server 2008?

Answer 1

For newer versions of Windows (including but not limited to both Windows 10 and Windows Server 2016), the event IDs are:

• 4800 - The workstation was locked.
• 4801 - The workstation was unlocked.

Locking and unlocking a workstation also involve the following logon and logoff events:

• 4624 - An account was successfully logged on.
• 4634 - An account was logged off.
• 4648 - A logon was attempted using explicit credentials.

When using a Terminal Services session, locking and unlocking may also involve the following events if the session is disconnected, and event 4778 may replace event 4801:

• 4779 - A session was disconnected from a Window Station.
• 4778 - A session was reconnected to a Window Station.

Events 4800 and 4801 are not audited by default, and must be enabled using either Local Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).

The path for the policy using Local Group Policy Editor is:

• Local Computer Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Advanced Audit Policy Configuration
• System Audit Policies - Local Group Policy Object
• Logon/Logoff
• Audit Other Logon/Logoff Events

The path for the policy using Local Security Policy is the following subset of the path for Local Group Policy Editor:

• Security Settings
• Advanced Audit Policy Configuration
• System Audit Policies - Local Group Policy Object
• Logon/Logoff
• Audit Other Logon/Logoff Events