Windows Vista Event Viewer

[arash]

My Windows Vista Event Viewer used to log all logon and logoff events, and I
could audit all user account activities. But recently it just logs the logon
event for user accounts and doesn't show any logoff event. I know how to turn
on and off the auditing feature in Windows XP. But I can't find same thing in
Windows Vista. I will appreciate if someone helps me.

 

[William Anderson]

Hey there Arash,

This might sound dumb, but try right clicking on the security log and see if
you have the option to clear the filter. Do that and then check for 4634
events.

Let me know if it works.

Best Regards,

Will

 

[arash]

William,

there is no filter applied on the security log, I checked it as you said.

 

[William Anderson]

Just out of curiousity arash...what's the specific eventID you're looking for?

 

[arash]

The eventID: 4647
anytime you logoff, restart, shutdown or stanby your system, it shows the
time of logoff

 

[William Anderson]

Hey there Arash,

Here's a couple of articles that you may find interesting:

http://www.ultimatewindowssecurity....meibc55ebrx1cam))/SecurityLogEventID4634.ashx

"Microsoft's comments:
This event does not necessarily indicate the time that a user has stopped
using a system. For example, if the computer is shut down or loses network
connectivity it may not record a logoff event at all. "

However, event 4647 may be more accurate for you to find, this event is
actually logged during interactive sessions, whereas the 4634 event can be
logged for non-interactive network sessions (Just tested it on my machine):
http://www.ultimatewindowssecurity....meibc55ebrx1cam))/SecurityLogEventID4647.ashx

Let me know if this helps!

Best Regards,

Will