Screen Saver Invoked
Enabled by default
Service: Microsoft Windows Security Auditing
Log type: Security
A screen saver being invoked is often tied to the event of a workstation being locked. This event can help trace a series of attacks and track the course of events. It could also prove that changes were made, especially if a screen saver was not default on a system.
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4802'} -MaxEvents 1 | Format-List
auditpol /get /subcategory:"Other Logon/Logoff Events"
auditpol /set /subcategory:"Other Logon/Logoff Events" /Sucess:Disable /Failure:Disable
auditpol /set /subcategory:"Other Logon/Logoff Events" /Sucess:Enable /Failure:Enable
In order to enable auditing on workstation unlocked events, navigate to the System Audit Policies in the group policy editor. Enable 'Other Logon/Logoff Events' under the Logon/Logoff tab.
This is not logged by default on the Windows system and falls under the "Other Logon/Logoff Events" category. In order to turn on auditing for this event, enter the command auditpol /set /subcategory:"Other Logon/Logoff Events" /Success:Enable /Failure:Enable
Changes to the audit policy are logged by default in Windows 10 Professional. To view the logs, navigate to the Event Viewer Security tab and sort of filter by Event ID 4802.
To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4802'} -MaxEvents 1 | Format-List
To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4802)]]"