How to find my actual login events in the Windows Event Viewer
I have an Excel sheet where I not down the time I arrive at work and the time I leave. It tends to vary a bit, and on a regular basis I forget noting down the time I arrived. At my previous job I used a simple tool called TurnedOnTimesView for this, but because the laptops here are managed differently, it isn't as reliable as it was. So, I figured I could try to enter the scary world of the Event Viewer.
In the Event Viewer you can create custom filtered views, and I first thought it would be as simple as looking for "Logon" events... but that filter gave me a mountain of logon events, most of which seemed to be various system events, and even IWA events from browsers logging on to company websites. Basically, there was a lot of noise.
Eventually though, digging out some old XPath skills, and identifying some key identifiers (EventID=4648 and ProcessName=lsass), I managed to come up with a query that actually seem to be quite accurate:
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[ System[ (TimeCreated[timediff(@SystemTime) <= 604800000]) and (Provider[@Name='Microsoft-Windows-Security-Auditing']) and (EventID=4648) ] and EventData[ (Data[@Name='ProcessName'] = 'C:\Windows\System32\lsass.exe') and (Data[@Name='TargetDomainName'] = 'YOUR DOMAIN') and (Data[@Name='TargetUserName'] = 'YOUR USERNAME') ] ] </Select> </Query> </QueryList>
This, unless I have misunderstood something, should list all actual login events, by you, within the last week. I.e. not various services, HTTP stuff, etc., etc.