Workstation Unlocked
Enabled by default
Service: Microsoft Windows Security Auditing
Log type: Security
A workstation being unlocked can often be a normal function and not any cause for concern. However, this could also be a sign that an attacker has made changes or could be attempting to hide something. This could also be used to tie events together and create a timeline.
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4801'} -MaxEvents 1 | Format-List
auditpol /get /subcategory:"Other Logon/Logoff Events"
auditpol /set /subcategory:"Other Logon/Logoff Events" /Sucess:Disable /Failure:Disable
auditpol /set /subcategory:"Other Logon/Logoff Events" /Sucess:Enable /Failure:Enable
In order to enable auditing on workstation unlocked events, navigate to the System Audit Policies in the group policy editor. Enable 'Other Logon/Logoff Events' under the Logon/Logoff tab.
This is not logged by default on the Windows system and falls under the "Other Logon/Logoff Events" category. In order to turn on auditing for this event, enter the command auditpol /set /subcategory:"Other Logon/Logoff Events" /Success:Enable /Failure:Enable
Changes to the audit policy are logged by default in Windows 10 Professional. To view the logs, navigate to the Event Viewer Security tab and sort of filter by Event ID 4801.
To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4801'} -MaxEvents 1 | Format-List
To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4801)]]"