Monitoring logon attempts on Windows Vista

A few simple steps to enable monitoring of logon attempts on Windows Vista.

  1. The first step to monitor successful logon attempts is to enable auditing successful logons. This task can be accomplished by executing the following command:

    auditpol /set /subcategory:Logon
    
  2. Next, we load the Event Viewer by executing the following command:

    eventvwr.msc
    

    and perform the following steps: Action -> Create Custom View -> XML -> Edit query manually

  3. We enter the following XQuery expression:

    <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*[System[(EventID=4624)] and (EventData/Data[@Name='LogonType']=7 or EventData/Data[@Name='LogonType']=2)]</Select>
      </Query>
    </QueryList>
    
  4. Finally, we click OK, give a name to our custom view and click OK once more.

Instead of performing the above mentioned procedure inside Event Viewer it is possible to create the custom view by just creating a new file under the following path: C:\ProgramData\Microsoft\Event Viewer\Views. The file name can be anything that ends in .xml. Windows, though, prefer to create files that follow the pattern View_<n>.xml, where <n> is a sequential number counting from 0.

<ViewerConfig>
  <QueryConfig>
    <QueryParams>
      <UserQuery />
    </QueryParams>
    <QueryNode>
      <Name>logons</Name>
      <QueryList>
        <Query Id="0" Path="Security">
          <Select Path="Security">*[System[(EventID=4624)] and (EventData/Data[@Name='LogonType']=7 or EventData/Data[@Name='LogonType']=2)]</Select>
        </Query>
      </QueryList>
    </QueryNode>
  </QueryConfig>
</ViewerConfig>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: