In this guide we are going to learn how to monitor when a Windows user logon, logoff, lock or unlock their account. We can maintain this windows user login history in a regular text file or in an Excel CSV file.
Monitor Windows User Login History
Action 1: We’ll be using Windows Task Scheduler along with a CMD script file to track each time a user performs one of these actions: Login, Logout, Lock or Unlock.
Create or navigate to a folder where you wish to save the script file > Create a new file named: useraction.cmd > Copy following code into it:
@echo off set cdate=%date:~-4%-%date:~7,2%-%date:~4,2% set ctime=%time:~0,2%:%time:~3,2%:%time:~6,2% if "%1"=="li" echo %cdate%: %username% - Logged in at %ctime% >> C:\Tracker\userlog.txt if "%1"=="lo" echo %cdate%: %username% - Logged out at %ctime% >> C:\Tracker\userlog.txt if "%1"=="ls" echo %cdate%: %username% - Locked at %ctime% >> C:\Tracker\userlog.txt if "%1"=="us" echo %cdate%: %username% - Unlocked at %ctime% >> C:\Tracker\userlog.txt
If you instead wish to log the activities in a CSV file, use this code:
@echo off set cdate=%date:~-4%-%date:~7,2%-%date:~4,2% set ctime=%time:~0,2%:%time:~3,2%:%time:~6,2% if "%1"=="li" echo %cdate%,%username%,Logged in,%ctime% >> C:\Tracker\userlog.csv if "%1"=="lo" echo %cdate%,%username%,Logged out,%ctime% >> C:\Tracker\userlog.csv if "%1"=="ls" echo %cdate%,%username%,Locked,%ctime% >> C:\Tracker\userlog.csv if "%1"=="us" echo %cdate%,%username%,Unlocked,%ctime% >> C:\Tracker\userlog.csv
This file is going to log user activities on the basis of arguments passed by Task Scheduler.
Task 1: Create Login Task in Task Scheduler
- Open Task Scheduler: Press Win+R > type in taskschd.msc > Press Enter.
- Click on “Create Task…” from the Actions panel on the right.
- This will open a new “Create Task” dialog as seen in below image:
We’ll be making changes to each of the tabs in this Dialog.
General Tab:
Name: Enter a name for the task, such as: Track – User Login
Security Options: Click on “Change User or Group…” button and search for “Users” group. Add this group to “When running the task, use the following user account” field.
Triggers Tab: Add a new trigger by clicking on “New…” button.
Begin the task: At log on
Settings: Any user
Click OK to add this trigger.
Actions Tab: Add a new action and point it to your script file.
Add arguments: Here you have to add li
Click OK to add the action.
Conditions Tab: We’ll making changes to this tab only if working on a Laptop PC.
Uncheck the box under “Power” that says “Start the task only if the computer is on AC power.”
That’s it. Click on OK to create the task.
Task 2: Create Locked Task in Task Scheduler
Create a new task similar to the one above. Apart from the name of the task, there are two other changes to be made in these tabs:
Triggers Tab: Add a trigger by clicking on “New…” button.
Begin the task: On workstation lock
Settings: Any user
Click OK to add this trigger.
Actions Tab: Add an action and point it to your useraction.cmd script.
Add arguments: Enter ls
Click OK to add the action.
Task 3: Create Unlocked Task in Task Scheduler
Triggers Tab: Add new trigger with these values:
Begin the task: On workstation unlock
Settings: Any user
Click OK to add this trigger.
Actions Tab: Add a new action and point it to useraction.cmd
Add arguments: us
Click OK to add the action.
Task 4: Create Logout Task in Task Scheduler
Windows doesn’t have a “At log off” trigger. To run the script with Task Scheduler, we’d be making use of Event ID to trigger it at logout. Again we will be making changes in the “Triggers” and “Actions” tab for the new task. Rest you can follow as the first task.
Triggers Tab: Add new trigger with these values:
- Begin the task: On an event
- Settings: Basic
- Log: System
- Source: Winlogon
- Event ID: 7002
Click OK to add the trigger.
Actions Tab: Add a new action and point it to useraction.cmd
Add arguments: lo
Click OK to add the action.
That’s it.
We can now test if the script is working as expected. Try locking and unlocking your PC. A new file named userlog.txt should be created in the path you specified in useraction.cmd file. On opening it you should see something like this:
Every time a user logon and logoff, this file is updated with the corresponding activity.