Investigating Computer Unlocks

Occasionally, a manager may request timestamps for when a user (potential problem child employee/contractor) logs into their computer each morning or throughout the day.

A good first place to look is in Duo logs.  It should record each time an employee approves a Duo prompt for "Windows Logon."  However, this presupposes that the user's computer is connected to the internet.  If their computer was initially NOT connected to the internet, then they could log into their computer without Duo and no event would be recorded in Duo logs for their Windows login.

To fine-tune the research and confirm what you may be seeing in Duo logs, you can resort to checking the computer's Event Viewer logs.  Two ways to check:

• Is the computer currently on the network/VPN?  You can connect to a remote machine in Event Viewer (make sure to launch through the terminal server, or from RDWeb, launch Command Prompt and enter eventvwr to open the app).  Action menu --> Connect to another computer.  Search for Event ID # 4801 [workstation was unlocked] to determine timestamps of when the user recently logged into the machine.
• Is the computer remote, currently disconnected from the VPN, but connected to the internet?  You can still query Event Viewer through Sophos Live Response (remote Command Prompt) and enter the following command:

Command:
wevtutil qe Security "/q:*[System[(EventID=4801)] and EventData[Data[@Name='TargetUserName'] != 'SYSTEM']]" /f:text /c:10

Breakdown:

• qe Security: Queries events from the Security log.
• /q: Defines the XPath filter to find Event ID 4801 [workstation was unlocked] and exclude the 'SYSTEM' account name.
• /f:text: Displays results in a readable text format rather than raw XML.
• /c:10: Limits the output to the 10 most recent entries; remove this to see all results. 

If the computer is completely disconnected / off network and not connected to the internet, then these logs will not be accessible remotely.