Walker News

How To Create A Custom View To Filter All Lock Computer Events In Vista SP2?

I have a habit of customizing the Windows audit policy with gpedit.msc to especially record log on events.

Sometimes, I wonder if I had locked the workstation when I left the computer and walked to somewhere else. So when that question crosses my head, the Event Viewer is ready to provide an answer.

However, there are many events of different categories that differentiated by Event ID logged in Windows Security Log. Obviously, it will take some seconds to locate “The workstation was locked” or Event ID 4800 from the Windows Event Viewer :-(

In order to make life easier, the Event Viewer has a way of creating Custom View, sort of filter, to list only the interested Windows events to user.

Create Custom View in Vista SP2 Event Viewer to filter and display the Lock Computer event:

As said earlier, the Event ID 4800 represents “Lock Computer” event in Windows (in my test case, it’s Vista SP2).

1) Click the Vista Orb (Start button), type eventvwr.exe or eventvwr.msc, and press ENTER to open Event Viewer.

Alternatively, go to Control Panel, Administrative Tools, and double-click the Event Viewer shortcut icon.

2) On its left pane, expand the Windows Logs and right click on Security to activate Create Custom View option in the context menu:

 Create filter in Windows Event Viewer to display only the interested events to user.

3) In the Create Custom View window, go to Filter tab, click on the <All Event IDs> text box and type 4800 followed by clicking OK button.

4) Now, the Save Filter to Custom View dialog box appears. Give this Custom View a meaningful name and description, e.g. Lock Computer 4800.

Finally, you should have noticed a new entry in Custom Views folder (precisely called node of the TreeView control in the programming world):

Customize Windows Event Viewer to display only the lock computer event.

Custom Search

  1. Pavel 10-08-11@22:33

    In order to get it to work in Windows 7 you have to enable the “auditing” of events 4800 and 4801.

    In Local Group Policy editor go to: Computer Configuration -> Wndows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies – Local Group Policy -> Logon/Logoff. In subcategory (on the right) choose Audit Other Logon/Logoff Events. Double click this item and Check the Success parameter.

2014  •  Privacy Policy