Script to Track Local Logins (VBS)

Event 528 is logged whenever an account logs on to the local computer whereas Event ID 540 is generated in the event of network logons. It is oftentimes tedious and a tad straining to the eyes to go through the tons of events stored in the event viewer even if you filter out those events you are not interested with.

I would suggest saving the login/logoff events on a log file in a more user-friendly format for easier analysis. For example, one may want to keep track of login time for monitoring purposes while another may do this to ensure optimal usage, for example, on a shared PC where users are allocated certain hours of access.

Heres a script that saves the login information (event ID 528) on a CSV file; the user name, hostname, and the time of login are captured.

The script opens a file (or creates one if the file does not exist) for appending wherein the captured data are stored. It then calls a sub procedure called Main to extract these information. Note that users must have modify rights on the C:\LogFile\Login.csv file.



The Main sub procedure captures the current logged in user's name, domain and the hostname of the computer and then writes these information, together with the type of action (Login) and time, to the log file:

Simple. Next, we will look at this scripts partner, the logoff script to capture the logoff time of the user (logoff time - login time = total usage time).