When either a user manually locks his workstation or the workstation automatically locks its console after a period of inactivity this event is logged.
To find out when the user returned and unlocked the workstation look for event ID 4801.
If a screen saver is used, there is a relationship between this event and 4802/4803 See event ID 4802 for an explanation of the sequence of events.
Description Fields in
4800
Subject:
The user and logon session involved.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or — in the case of local accounts — computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter
to hear about the latest webinars, patches, CVEs, attacks, and more.
The workstation was locked
The workstation was locked.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Session ID: %5
This event is generated when a workstation was locked.
ISO 27001:2013 A.11.2.8
NIST 800-171: 3.1.10
NIST SP 800-53: AC-11
CMMC v2 L2: AC.L2-3.1.10
| Name | Field | Insertion String | OS | Example | |
|---|---|---|---|---|---|
| Security ID | TargetUserSid | %1 | Any | DOMAIN\UserName | |
| Account Name | TargetUserName | %2 | Any | UserName | |
|
|
Account Domain | TargetDomainName | %3 | Any | DOMAIN |
| Logon ID | TargetLogonId | %4 | Any | 0x759a9 | |
|
|
Session ID | SessionId | %5 | Any | 3 |
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Other Logon/Logoff Events"
LEFT/RIGHT arrow keys for navigation
Back to List
Event ID:
Category:
Subcategory:
Other Logon/Logoff Events
Supported on:
Windows Vista, Windows Server 2008
The workstation was locked.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Session ID: %5
Related content
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Event submitted by
Event Log Doctor
Event ID:
4800
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was locked.
Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1
System32 Reference
Windows Security Event ID 4800
Solution by
Event Log Doctor
2013-02-18 17:47:23 UTC
Windows Vista and later log this event when a user locks the workstation.
User Information
Only an Email address is required for returning users.
Email:
Name / Alias:
Hide Name
Solution
Your solution: *
Additional Links
Name:
URL: