Creating a Windows Time Clock


Overview

Occasionally I find it necessary to try to figure out when I arrived at work, left work, went to break and so on. It has happened that the end of the week came along and I had forgotten to fill in a day or two and don’t remember precisely what times to put in. The problem is that if you can’t remember exactly when these times are, you have to err on the side of caution and cut yourself short on time that you actually worked. It’s also important to be accurrate on records such as these.

This lead me to think about ways that I could track this in case I forgot as well as more accurrately so that I’m not shorting myself or my employer. After thinking about it I realized that the first thing I do in the morning is logon to my computer and the last thing I do is lock it. When I go to break, I lock it and log back in when I get back. I also know that Windows is meticulous about its “record keeping” and logs events for every little thing that takes place in one of its event logs.

I then performed logons, logoffs, workstation locks, etc. and searched the Security event logs for these events. I came up with the following events related to logon-logoff events.

Events

Description Event ID
Logoff 4647
Logon 4648
Lock Workstation 4800
Unlock Workstation 4801

Setup New Event View

Now, in order to setup the “time clock”, follow these steps for Windows 7.

  1. Open Computer Management.
    1. Click on Run under the start menu.
    2. Type compmgmt.msc in the textbox and click OK.
  2. Select Manage from menu that pops up.
  3. Navigate to System Tools -> Event Viewer -> Windows Logs ->Security item in the left pane.
  4. Right-click the Security event log and select Create Custom View.
  5. Fill in the filter fields as follows and click OK.
    1. Logged: Any time
    2. Event level: None Selected
    3. By log: Selected
    4. Event logs: Windows Logs (not selected) -> Security (selected)
    5. Event IDs: 4647,4648,4800,4801
    6. Keywords: Audit Success
  6. Add the name of the new view to the Name field.
  7. Add a description of the new view to the description field (optional).
  8. Select the location to store the new view under in the tree view.
    1. You can select an existing folder.
    2. You can also use the New Folder button to create the folder structure you want.
  9. Make a choice using the All Users checkbox.
    1. Check: If you want the view accessible by all users.
    2. Uncheck: If you want the new view accessible only by you.
  10. Click OK.

Summary

Now that you’ve created the new view, you can access it by navigating to System Tools -> Event Viewer -> Custom Views -> CUSTOM VIEW NAME, where CUSTOM VIEW NAME is the name of the view you entered in step 6 above.

Please note that the logon and logoff events are sometimes duplicated and have event IDs like 4624. I haven’t had time yet to determine if one event ID is better to track the logon and logoff events than the others. If you do and want to let me know, please feel free to comment on this post and I’ll update it. What I would ultimately like to have is a single event either Logon, Logoff, Lock Workstation, Unlock Workstation or Shutdown. This way it would read just like a time card.

Advertisements

6 thoughts on “Creating a Windows Time Clock

  1. Alright, after putting this into practice I saw a flaw in my idea that I hadn’t noticed before. My system is generating a little over 377 security events a minute. At this rate my log is filling long before I can have even a day of “time clock” events. I could always enlarge the log, but don’t really want to, so I will just forego this effort for now.

    It would be nice if you could literally “pull” events that match the filter and place them in another log. Then the security log could keep rolling and I would have only the events i need. Maybe I’ll look into whether I can do this when I get some time.

    1. Hi,

      I have (and still have) exactly the same problem now as you have had one year ago.

      Solution #1: 7001, 7002 are better than event no 4647 and 4648 because they make one single entry to the log (makes 2 entries per day)

      Problem #2: 4624 and 4623 are not logged at all! (Win7 x64 Professional) Is there a place where logging for them has to be activated first? Or is it another queue/place where they are written to?

      Hopefully
      Mathias

      1. Mathias,

        Thank you for your reply! I could never find the documentation for exactly which events serviced the logon and logoff events, so I dug through the log right after logging on and found the events I thought best represented the logon and off. Although, there were several events that happened during logging on and off. It also didn’t help that the system I was doing this on logged hundreds of events a minute to the log, so catching them didn’t work very well. So, thank you very much for improving the article with this note!

        Nathon

  2. You have to enable the “auditing” of events 4800 and 4801 first.

    In Local Group Policy editor go to: Computer Configuration -> Wndows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies – Local Group Policy -> Logon/Logoff. In subcategory (on the right) choose Audit Other Logon/Logoff Events. Double click this item and check the Success parameter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s