SOLVED

Query for computer start events

Microsoft

Hi everyone,

I'm trying to assist a customer with a query in Log Analytics to see whenever computers were turned on, by computer and by day.

I think I am on the right track in the Security Event table, going off of the Saved Search that Log Analytics offered for Logon Activity by Computer.

 

search in (SecurityEvent) EventID == 4624

| summarize LogonCount = count() by Computer

| limit 500000

 

I found a list of the event numbers (here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/) and I believe 4608 "Windows is starting up" should work, but I can't seem to find where the options are to replace "LogonCount" with something that would indicate Windows starting instead. I'd also like to know how to sort that by computer and by day.

 

Appreciate any help you can offer, thanks!

7 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution
Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)

Thank you so much, Stanislav!

 

Is it also possible to query for the total amount of time each computer is used each day (ideally excluding idle time)? Is that somewhere in the Perf table?

Hi Your definition of idle is too vague. You will have to provide some explanation what you mean by idle time. There are thousand of performance counters on Windows Server and what Log Analytics gathers depends on what you've configured as data sources.

Here's all of the information I have on the request for two queries.

1) Usage count of computers

Number of times a user turns the power on (from sleep or shutdown) and performs an interactive login

 

2) Usage time of computers

The time (period) that a computer is unlocked and interactively logged on (excluding idle time if possible)

 

We can skip the idle time if that's difficult. Thanks so much! BTW, is there a list of these performance counters somewhere? Is this the right area?

https://msdn.microsoft.com/en-us/library/windows/desktop/aa373083(v=vs.85).aspx

 

I do not think any of those two have some kind of performance counters. For example interactive logons can be tracked only as events. If interactive login happens event is logged one time in the security log. I am not aware of there are other events which you can distinguish if machine was powered on from sleep or shutdown. About performance counters I do not know where the documentation is. There are some basic performance counters that are on every system and additional ones are installed depending on the role of the system. As far as I know you will not find user performance counters as all counters are related to the server itself rather users. I usually look at the performance counters from perfmon and than try to find if there is more information on specific counter on Internet.

Ok, got it. Thank you so much for your time! I have run across your blog posts researching other cases as well, very much appreciate your contributions!

Thanks!
1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution
Hi Here we go search in (SecurityEvent) EventID == 4624 | summarize WindowsStartCount = count() by Computer, bin(TimeGenerated, 1d)

View solution in original post