When user authentication is successful, the authentication package creates a logon session and returns information to the Local Security Authority (LSA) that is used to create a token for the new user. Among other things, this token includes a locally unique identifier (LUID) for the logon session, called the logon Id.
A logon session begins with successful authentication of a user and ends when the user logs off of the system. Windows logon events can be used to track user's session duration.
logon session = logoff time - login time
logoff -> event id 4634
login -> event id 4624
Depending on the situation logoff can be correlated to system shutdown time or system start up time.
System shutdown time when user doesn't log off. What if the system crashes? system start up time.
system startup -> event id 4608
system shutdown -> event id 4609
This is quite straightforward answer. It can get more complex when we begin to analyze the situation into more detail. If we want to calculate actual time user was using a computer, following things needs to be addressed
1. Workstation lock time: the time workstation was locked
2. Session Idle time: connect and disconnect from different logon sessions like desktop and terminal server sessions
3. Console Idle time: If machine itself was idle (correlate with screensaver)
Actual computer usage
= logoff time - login time - workstation lock duration - session idle duration - console idle duration
workstation lock duration = workstation unlock time - workstation lock time
session idle duration = session connection time - session disconnect time
console idle duration = screensaver dismiss time - screensaver invoke time
session reconnect - > event id 4778
session disconnect - > event id 4779
workstation locked - > event id 4800
workstation unlock - > event id 4801
screensaver invoke - > event id 4802
screensaver dismiss - > event id 4803
This methods can be used to audit user logon sessions.
No comments:
Post a Comment