Count logons and logoffs on computer Windows 7

Question

I want to count the number of logons and logoffs on users of their computers. I take the information for logons/logoffs from the Windows event logs (from Win32_NTLogEvent WMI class). For example with following query:

select * from Win32_NtLogEvent
where EventCode = 4648 and TimeGenerated > '20120224000000.000000-***'

But when the computer has been restarted or started it counts 3 logons, when the user has clicked logoff or lock (from start menu) and then logon it counts 1 logon. The user authenticates via Windows Active Directory. Does it influence on the number of logons? Can I count only the number of logons using explicit credentials on users?

I found EventCode: 4608 and 4609 for starting up and shutting down of Windows but I need also the number of logons when the user has logoffed or locked the computer.

Answer 1

I found this solution here:

strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
    strComputer & "\root\cimv2")

Set colEvents = objWMIService.ExecQuery _
    ("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'Security' AND " & _
        "EventCode = 528 AND User = 'fabrikam\\kmyer'") 

Wscript.Echo colEvents.Count

Simply replace the values with the ones you want.

Now this isn't a Java but VB code... However it apparently uses the WMI interface that you could use from your Java program. Or you could do something ugly and invoke a batch script from Java (or scheduled task) and read its output, or use a binding.

This is of course assuming that you want to check this on the user's computer, as your question hinted. If you want to count logons at a more global level and from different machines, then you need to query the Active Directory (or other mechanism the networked infrastructure is using); the linked thread offers solutions for this as well.

Update:

You can have a look at Eric Fitzgerald's blog post on Tracking User Logon Activity Using Logon Events, where you have the corresponding codes (as well as complete formulas for accurate time tracking).

Apparently you want event codes 4624 (LOGON) and 4634 (LOGOFF), plus other ones listed there if you plan on using Fitzgerald's formulas to calculate the exact activity time.

Answer 2

A better approach would be to use a system service.

The HandlerEx callback function, defined by RegisterServiceCtrlHandlerEx, can be configured to receive session change notifications including logon, logoff, lock and unlock events.

I'm not entirely certain whether the logoff events received by HandlerEx are reliable or if they exhibit the same problems as the event log. As a backup, SetConsoleCtrlHandler allows you to define a callback function to receive logoff notifications. These notifications are reliable.

The remote desktop services API functions, such as WTSEnumerateSessions, may also be useful, allowing you to list the currently logged-on users at any given time, or get additional information about a given session. Only a subset of these functions are available on workstations, but they're the ones you need.