There are hundreds of administrative and support tasks that we can carry out in Windows 10 and one of these is to analyze in detail each session closure by the user. The Windows 10 operating system is able to track the entire logout process and from there write a series of events in the system log that we can access later to obtain all the necessary information for administrative or audit purposes. ..
To access this type of information it will not be necessary to use third-party tools or software since Windows 10 integrates a utility called Event Viewer where all the system events are hosted by category (System, Security, etc.) and from there we have the opportunity to centrally control every event that occurs in the system and its applications .
Microsoft has developed a series of events for each action that is carried out within Windows 10, in the case of the session closure the ID is the following:
Event ID 4647
Logout initiated by the user. This event is generated when a session closure begins. No other activity initiated by the user can occur. This event can be interpreted as a session closing event manually or automatically.
Now TechnoWikis will explain how we can see this ID through the event viewer and from there have better analysis options..
View history Log out with logout event in Windows 10
Let's first see how to enter the Viewer to be able to filter events.
Step 1
To access this event viewer we have the following options:
- Right-click on the Start menu, or use the following keys, and in the drop-down list select "Event Viewer".
+ X
- Use the following key combination and execute the "eventvwr.msc" command and press Enter or OK.
+ R
- From the Windows 10 search box enter the term "events" and there select the viewer
Step 2
Once we access the Event Viewer, we will go to the “Windows Registries†section and there we select the “Security†category where we will see the following.
Step 3
Now we must filter the registry using one of the following options:
- Click on the “Filter current record†line located on the right side.
- Go to the "Action" menu and select "Filter current record".
- Right click on "Security" and select "Filter current record".
Step 4
When using any of these options, the following window will be displayed where we must define the event ID 4647 in the “All IDs†field:
Step 5
There are additional options such as the search for this ID on various networked devices or for multiple users, in this case it will be done locally so that we leave the default option. When entering the ID 4647 we click on the “Accept†button to apply the filter and we can see only the events related to this session ID:
Step 6
We can double click on any of the events displayed to obtain detailed information such as. This ID 4647 is generated when the logout process has been initiated with a specific account using the logout function.
- Computer, user and domain where the session closure was executed
- Session closing date and time
- Equipment in which the process was carried out and more.
We can see how simple Windows 10 gives us the option to analyze in detail the logins in the system.