Logon/Logoff Events

Posted by:  TonyN (Ton…@discussions.microsoft.com)
Date: Wed, 9 Sep 2009

Hello Everyone: I'm not sure if this is the right group for this question,
but if not, perhaps someone can redirect me. Anyway, I am interested in
tracking user Logon/Logoff times using the Windows Event records. My
situation is that I have several public use computers running Windows/XP with
SteadyState to control the user accounts, and it is mainly the accounts
defined to SteadyState that I want to monitor. If I look at the Event Viewer
after a Logon/Logoff sequence, I see the following records (Event ID):

Logon: 528, 576, 538, 538 576
Logoff: 551

Is this sequence of records normal and predictable i.e. can I depend on them
for monitoring purposes? If possible I need to track all Logon events and
Logoff events resulting from 1) the user logging off (i.e. clicking Start =>
Log Off), 2) a log off resulting from a time out, and, 3) the computer being
powered off.

Thanks. . .

Tony N.