RE: Screen Saver Lock Event ID

I found an acceptable intermediate solution until we can go to WinVista or
higher:

By default, there is not an event log was recorded in the Security log when
a screen saver locks. But we can enable audit on the logon.scr file to record
the screen saver event in Security log by the following steps:

Note: we suppose use the logon.scr as the screen saver, you can change to
another .scr screen saver.

A: Enable “Audit object access “policy on the server
===========================
1. Click Start > Run, type Gpedit.msc
2. Navigate to Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy
3. In the details pane, double-click “Audit object access”.
4. In the Audit object access Properties dialog box, check “Success” and
“Failure” on Local Security Setting tab.
5. Click OK.
6. Run gpupdate /force in command window to refresh the group policy.

B. Add the user right settings of logon.scr
=============================
1. Browse to %systemroot%\system32 and right-click on logon.scr. Then choose
Properties, switch to Security Tab and click Advanced.
2. Switch to Auditing, click Add and add proper groups or users(Such as
Administrator).
3. Double-click the proper groups or users, check Full Control in Successful
and Failed. And click OK to enable the auditing.

If you use your PDC to provide trusted time to all computers, restrict
acceptable time to be within 15min using a GPO, force a screen saver for all
PCs to lock after a certain a mount of time using a GPO, and limit the amount
of users that have administrative rights over the computers, then you should
be able to trust time and force a screen saver lock to generate an error.
One caveat: If the user manually locks their computer, then no event is
recorded. The screen saver MUST kick in first before the computer is locked
in order to generate the error.

"BrianG" wrote:

Is there an event ID that can be/is written to the Security log when a screen
saver locks in WinXP, for either when the screen saver locks itself or if a
user manually locks it? I want to track the last time of the day when a
person has stopped using their computer. Thanks
.

Relevant Pages

  • RE: [Full-Disclosure] Networking security problem?
    ... and Windows XP security is like comparing chalk with cheese! ... And the screen saver password is only to lock out the screen and keyboard - ... seems OK, but OS and network ... The particular NIC was in a payroll machine with obviously very ...
    (Full-Disclosure)
  • [Full-Disclosure] RE: NetWare Screensaver Authentication Bypass From The Local Console
    ... If the screen saver was intended to be bypassed and not to be a security ... > method of hacking servers. ... >> Novacoast has discovered a vulnerability in the Novell NetWare Operating ...
    (Full-Disclosure)
  • Re: Best Practice for Screen Savers
    ... Don't take personal offense to this, perhaps your security requirements ... without enforcing it. ... I think suggesting to user that "best practice" is XYZ. ... >>set my companies screen saver password timeout to. ...
    (Security-Basics)
  • Keeping the screen saver away
    ... I was wondering what windows message I can send to ... the Windows CE OS so that a security application or screen saver would ... consider an Bluetooth or serial connection as having the PDA ...
    (microsoft.public.windowsce.embedded.vc)