How to find my actual login events in the Windows Event Viewer

Published:

I have an Excel sheet where I not down the time I arrive at work and the time I leave. It tends to vary a bit, and on a regular basis I forget noting down the time I arrived. At my previous job I used a simple tool called TurnedOnTimesView for this, but because the laptops here are managed differently, it isn't as reliable as it was. So, I figured I could try to enter the scary world of the Event Viewer.

In the Event Viewer you can create custom filtered views, and I first thought it would be as simple as looking for "Logon" events... but that filter gave me a mountain of logon events, most of which seemed to be various system events, and even IWA events from browsers logging on to company websites. Basically, there was a lot of noise.

Eventually though, digging out some old XPath skills, and identifying some key identifiers (EventID=4648 and ProcessName=lsass), I managed to come up with a query that actually seem to be quite accurate:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
*[
  System[
    (TimeCreated[timediff(@SystemTime) &lt;= 604800000]) and
    (Provider[@Name='Microsoft-Windows-Security-Auditing']) and
    (EventID=4648)
  ] and
  EventData[
    (Data[@Name='ProcessName'] = 'C:\Windows\System32\lsass.exe') and
    (Data[@Name='TargetDomainName'] = 'YOUR DOMAIN') and
    (Data[@Name='TargetUserName'] = 'YOUR USERNAME')
  ]
]
    </Select>
  </Query>
</QueryList>

This, unless I have misunderstood something, should list all actual login events, by you, within the last week. I.e. not various services, HTTP stuff, etc., etc.