How to find my actual login events in the Windows Event Viewer
I have an Excel sheet where I not down the time I arrive at work and the time I leave. It tends to vary a bit, and on a regular basis I forget noting down the time I arrived. At my previous job I used a simple tool called TurnedOnTimesView for this, but because the laptops here are managed differently, it isn't as reliable as it was. So, I figured I could try to enter the scary world of the Event Viewer.
In the Event Viewer you can create custom filtered views, and I first thought it would be as simple as looking for "Logon" events... but that filter gave me a mountain of logon events, most of which seemed to be various system events, and even IWA events from browsers logging on to company websites. Basically, there was a lot of noise.
Eventually though, digging out some old XPath skills, and identifying some key identifiers (EventID=4648 and ProcessName=lsass), I managed to come up with a query that actually seem to be quite accurate:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[
System[
(TimeCreated[timediff(@SystemTime) <= 604800000]) and
(Provider[@Name='Microsoft-Windows-Security-Auditing']) and
(EventID=4648)
] and
EventData[
(Data[@Name='ProcessName'] = 'C:\Windows\System32\lsass.exe') and
(Data[@Name='TargetDomainName'] = 'YOUR DOMAIN') and
(Data[@Name='TargetUserName'] = 'YOUR USERNAME')
]
]
</Select>
</Query>
</QueryList>
This, unless I have misunderstood something, should list all actual login events, by you, within the last week. I.e. not various services, HTTP stuff, etc., etc.