General discussion


Log which track when a PC is unlocked?

By wayne.ha ·
My client is reporting that perhaps after locking (ctrl+alt+del) his PC at night it seems someone (or an application is running) which unlocks his PC. He is asking if there is some form of a log or a way to detect this. Any help would be greatly appreciated. Thanks in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by dkolas In reply to Log which track when a PC ...

It sound to me like a user has access to the clients password or the client is not logging off correctly. If another user knows the password it would be wise to have the user change password at next logon. To track these events you might want to establish an audit policy to track succesful log on attempts and possibly for object access. The event viewer can be used to view information from the security log which views audited events you have established in your audit policy.

Collapse -

by a.jongsma In reply to Log which track when a PC ...

There are chances that someone already knows you're clients password, and that he uses a security hole of Windows 2000 to log into the box without leaving any logon/logoff traces in the Security log.
All versions of Windows NT do - under certain conditions - log successful logons, which normally create a Security event 528, as failed logon (Security event 539)!
Because the locking of the machine creates no Security event by design, a local attacker can use this hole to log onto a locked machine and lock this machine again (when he is done), without leaving logon/logoff traces of his successful break in in the Security log!

You could apply the fix KB article Q188700 (;EN-US;q188700) which will require you to add the following Registry value:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: ForceUnlockLogon
Content: 1 (on) or 0 (off)

Microsoft says it would be necessary toreboot. In all experiments we done, we always found that the change did immediately work, even without a reboot.
When ForceUnlockLogon is set to 1, a locked account can not unlock a locked machine. This means an attacker can not use the hole in the eventlog mechanism to logon undetected any longer.

Related Discussions

Related Forums