Security Log from Windows System

As an administrator sometimes managers need some information about their employees like how much time they spend using their PC or when the employee come to the office.
this information can be extracted from security logs of the system by pre-configuring the system in the group policy and running a script which will follow bellow.

First of all, we need to enable Audit under group policy:

Open gpedit.msc
under:
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit
enable: Audit account logon event (success)
enable: Audit logon events (success)

Now, we can use the script bellow in the future to have the needed information. (remark: the script should be run under the building local administrator.)

'Option Explicit

Dim objFSO, objFolder, objFile, objWMI, objItem, objShell
Dim strComputer, strFileName, strFileOpen, strFolder, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
Dim intEventType, strLogType, objWMIService  
 
'-------------------------------------------------
'Get the computer name
Set WshNetwork = WScript.CreateObject("WScript.Network")
computer = WshNetwork.ComputerName
'-------------------------------------------------
' --------------------------------------------------------
' Set the folder and file name
strComputer = "."
strFileName = "\" & computer & ".txt"
strFolder = "C:\Temp"
strPath = strFolder & strFileName
 
' Set numbers
intNumberID = 680 ' Event ID Number
intEventType = 4
strLogType = "'Security'"
intRecordNum = 0
 
'-------------------------------------------------
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colTimeZone = objWMIService.ExecQuery("Select * from Win32_TimeZone")
 
For Each objTimeZone in colTimeZone
    TimeZone = objTimeZone.Bias 
Next
'-------------------------------------------------

' -----------------------------------------------------
' Section to create folder and hold file.
' Create the File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
' Check that the strFolder folder exists
If objFSO.FolderExists(strFolder) Then
	Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
End If
 
If objFSO.FileExists(strFolder & strFileName) Then
	Set objFolder = objFSO.GetFolder(strFolder)
Else
	Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
End If 
' --------------------------------------------------
' Two tiny but vital commands (Try script without)
set objFile = nothing
set objFolder = nothing
 
' ----------------------------------------------------
' Write the information to the file
'Wscript.Echo " Press OK and Wait 30 seconds (ish)"
Set strFileOpen = objFso.CreateTextFile(strPath, True)
 
' ----------------------------------------------------------
' WMI Core Section 
Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile =" & strLogType)
 
' ----------------------------------------------------------
' Next section loops through ID properties

For Each objItem in colLoggedEvents
  dyear = mid(objItem.TimeGenerated,1,4)
  dmonth = mid(objItem.TimeGenerated,5,2)
  dday = mid(objItem.TimeGenerated,7,2)
  dhour = cint(mid(objItem.TimeGenerated,9,2)) + CInt(TimeZone)/60 + 1 ' +1 if it's summer time
  dmin = mid(objItem.TimeGenerated,11,2)
  dsec = mid(objItem.TimeGenerated,13,2)
  'User initiated logoff
  If objItem.EventCode = 4647 Then
	useraccount3 = mid(objItem.Message,instr(1,objItem.Message,"Account",0),InstrRev(objItem.Message,"Account", -1, 0)-instr(1,objItem.Message,"Account",0))
	useraccount3 = mid(useraccount3,16,len(useraccount3))
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	users = mid(useraccount3,1,len(useraccount3)-3)
	strFileOpen.WriteLine(dates & " - " & users & " initiate a logoff from " & computer) 		
  End If 
  'An account was successfully logged on, UNLOCK
  If objItem.EventCode = 4624 And instr(1,objItem.Message, "winlogon.exe",0) > 0 Then
	logontype = Cint(mid(objItem.Message,InStr(1,objItem.Message,"Logon Type:",0)+14,2))
	useraccount2 = mid(objItem.Message,1, InstrRev(objItem.Message,"Account", -1, 0)-1)
	useraccount2 = right(useraccount2,len(useraccount2)-InstrRev(useraccount2,"Account", -1, 0))
	useraccount2 = mid(useraccount2,15, len(useraccount2))
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	users = mid(useraccount2,1,len(useraccount2)-3)
	If logontype = 7 Then 
		strFileOpen.WriteLine(dates & " - " & users & " successfully unlock the " & computer) 		
	End If 
	If logontype = 11 Then 
		strFileOpen.WriteLine(dates & " - " & users & " successfully logged on to " & computer) 		
	End If 
  End If 
  'An account was logged off
  If objItem.EventCode = 4634 And instr(1,objItem.Message, "ANONYMOUS",0) = 0 And instr(1,objItem.Message, "CLIENT",0) = 0 Then
	useraccount = mid(objItem.Message,instr(1,objItem.Message,"Account",0),InstrRev(objItem.Message,"Account", -1, 0)-instr(1,objItem.Message,"Account",0))
	useraccount = mid(useraccount,16,len(useraccount))
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	users = mid(useraccount, 1,len(useraccount)-3)
	strFileOpen.WriteLine(dates & " - " & users & " Logged off from " & computer) 			
  End If
  'The Screen saver was invoked
  If objItem.EventCode = 4802 Then 
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	strFileOpen.WriteLine(dates & " - " & "The Screen saver was invoked on " & computer)
  End If 
  'USER LOCK THE SYSTEM
  If objItem.EventCode = 4800 Then 
	useraccount = mid(objItem.Message,instr(1,objItem.Message,"Account",0),InstrRev(objItem.Message,"Account", -1, 0)-instr(1,objItem.Message,"Account",0))
	useraccount = mid(useraccount,16,len(useraccount))
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	users = mid(useraccount, 1,len(useraccount)-3)
	strFileOpen.WriteLine(dates & " - " & users & " lock the " & computer) 		
  End If 
  'System Shutdown
  If objItem.EventCode = 1100 Then 
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	strFileOpen.WriteLine(dates & " - " & computer & " is shuting down")		
  End If
  'Windows is starting up
  If objItem.EventCode = 4608 Then 
	dates = "Date: " & dday & "." & dmonth & "." & dyear & " - " & dhour & ":" & dmin & ":" & dsec
	strFileOpen.WriteLine(dates & " - " & computer & " is Starting up")		
  End If
Next
 
'Confirms the script has completed and opens the file
MsgBox("Work complete!")