Trying to figure out a string to find open windows locked-screen sessions
Monitored all security events when doing a log on, full log-off and locked screen
4624 logon (type7 = logon from a locked screen)
4624 logon (type 2 = full logon when no active session running)
4634 = locked screen
4647 = full log off
4673 = privileged service called – this one is interesting, there is a 4673 heart beat on the machine that has a locked screen user session.
Doing the below
Index=winevents EventCode=4624 OR EventCode=4634
| transaction host startswith=EventCode=4624 endswith=EventCode=4634
| table what you want
Problem with the above — it finds the log-on and then locked screen events, but it isn't catching after that event. Then user logged on again, then fully logged out — so you see, every time someone did a log on and locked screen — even if they later logged in yet again and the legit logged off cleaning the situation.
This is where maybe that 4673 event ID is of value?