On Windows, you can track user login and logoff events using the Security log. In this article, we’ll show you how to get user login/logoff history from Event Logs on the local computer using simple PowerShell script.
In order the user logon/logoff events to be displayed in the Security log, you need to enable the audit of logon events using Group Policies.
You can enable login auditing on all domain-joined computers using a domain GPO.
- Run the Group Policy Management Console under domain admin account (gpmc.msc);
- Right-click on Default Domain Policy and select Edit;
![windows 10 user login history]( "windows 10 user login history")
- Go to the following GPO section: Computer Configuration > Policies > Windows Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff;
- Enable the following GPO options: Audit Logoff, Audit Logon, Audit Other Logon/Logoff Events. To do this, in each policy, select the options Configure the following audit events > Success;
![powershell get user login history]( "powershell get user login history")
- Save the GPO and wait until the new policy settings are applied to the domain computers (you can apply the policy on a client immediately using the gpupdate command).
Now, when a user logons locally or remotely to a computer, an event with EventID 4624 appears in the Windows Logs > Security event log.
You can manually filter all logon events with the specified code in the Event Viewer. Run the Compute Management console. Go to System Tools > Event Viewer > Windows > Logs > Security. Right-click on this section and select Filter Current Log. In the window that opens, specify Event ID 4624 and click OK.
As a result, only user logon events will be displayed in the event log. Open any Audit Success event. The event description says “An account was successfully logged on”. The name of the user who logged in is specified in the following message field:
New Logon:
Security ID: CORPjsmith
Account Name: jsmith
If the user has logged on from a remote computer, the name (or IP) of the computer will be specified in the: Source Network Address: 192.168.1.70
Let’s try to use PowerShell to select all user logon and logout events. To select events with EventID 4634 and 4624, we use the Get-WinEvent cmdlet. The following PowerShell script must be run with elevated privileges.
$Results = @()
$logs =Get-WinEvent -LogName Security| Where-Object {$_.ID -eq 4634 -or $_.ID -eq 4624}
ForEach ($log in $logs) {
if ($log.Id -eq 4634)
{
$type=”SessionStop”
$username=$log.Properties[1].Value
}
Else {
$type=”SessionStart”
$username=$log.Properties[5].Value
}
if ($username -ne “”) {
$Results += New-Object PSObject -Property @{“Time” = $log.TimeCreated; “Event” = $type; “User” = $username};
}
}
$Results
After executing this script, you will get a list of all user logon/logoff events on this computer. If you want to select all events for a specific user account, add the following variable to the top of the script:
$userlog =”jsmith”
And replace the line:
if ($username -ne “”) {
to:
if ($username -eq $userlog) {
Specify the user name (not case-sensitive) for which you want to receive user activity report on a specific computer.
For convenience, you can display the results in a graphical table using Out-GridView. Just replace the last line with:
$Results|Out-GridView.
The post How to Get Windows 10 User Login History Using PowerShell? appeared first on TheITBros.