Session history report

The Logon/Logoff reports display the following information for each logon session.

Logon time

Logoff time

User name


Logon type



In order to use the report you need to:

1- Activate the logon/logoff audit

Windows NT 4: Administrative Tools> User Manager for domain > Policy > Audit
  Check Audit these events
  Check Success for Logon and Logoff

Windows Windows 2000/XP/2003/Vista/2008/7/2008 R2: Administrative Tools> Local security policy > Local policies > Audit policy > Audit logon events
  Check Success
  Warning! The audit needs some times a long time to be effective. In order to accelerate this, you can execute the following command line: secedit /refreshpolicy machine_policy on Windows 2000 or gpupdate on Windows XP/2003/Vista/2008/7/2008 R2
If defined the domain security policy and the domain controller security policy override the local policy.

2- Scan the security log of the computers to audit
In the event log section of the scan configuration add a filter for the following events:
528, 540 and 538 in the security log.
Alternatively you can load the event filter file "C:\Program files\ISDecisions\WinReporter4\Templates\LogonEventFilter.xml" with the context menu of the Event logs section.
Then launch the scan.

3- Once the scan is done, select the report in the Event reports section of the report tree.

4- Configure the filter if needed. You can choose the report period with the From and To fields.

6- Click Launch to see the report.

You can define the report time period with the Begin date and End date fields
You can choose to don't display sessions shorter than a time length specified in the Session> field.
The check box Logoff without logon allow to display logoff events without a corresponding logon event
The check box Logon without logoff allow to display logon events without a corresponding logoff event

- The report may require a long time to execute the query. In order to accelerate the process you can deactivate Logoff without logon and Logon without logoff.


The report is interesting on Windows NT 4 computers or on Windows 2000/XP/Vista/7 workstations (local logon). On Windows 200x domain controllers the system generate to many Logon/Logoff events and it's very difficult to analyze them.


Additional information:

The logon/Logoff report use the events 528,540 (Logon) and 538 (Logoff)
The session information is located in the dynamic parameters:
1 : User name
2 : Domain
3 : Session Identifier
4 : Logon Type (Network = 3, Local = 2, Unlock workstation = 7)
7 : Workstation name