The event IDs to look for in pre-Vista Windows are 528, 538, and 680. 528 usually stands for successful unlock of workstation.

要在 Vista 之前的 Windows 中查找的事件 ID 是528、538和680。528 通常代表工作站成功解锁。

The codes for newer Windows versions differ, see below answers for more infos.

较新的 Windows 版本的代码不同，有关更多信息，请参阅以下答案。

The lock event ID is 4800, and the unlock is 4801. You can find them in the Security logs. You probably have to activate their auditingusing Local Security Policy(secpol.msc, Local Security Settingsin Windows XP) -> Local Policies-> Audit Policy. For Windows 10 see the picture below.

锁定事件 ID 为 4800，解锁事件 ID 为 4801。您可以在安全日志中找到它们。您可能必须使用本地安全策略（secpol.msc，Windows XP 中的本地安全设置） ->本地策略->审核策略来激活他们的审核。对于 Windows 10，请参见下图。

Look in Description of security events in Windows 7 and in Windows Server 2008 R2under Subcategory: Other Logon/Logoff Events.

看在了Windows 7和Windows Server 2008 R2中的安全事件描述下子目录：其他登录/注销活动。

You will need to enable logging of these events. Do so by opening the group policy editor:

您将需要启用这些事件的日志记录。通过打开组策略编辑器来执行此操作：

run -> gpedit.msc

运行 -> gpedit.msc

and configuring the following category:

并配置以下类别：

Computer Configuration->
Windows Settings->
Security Settings->
Advanced Audit Policy Configuration->
System Audit Policies - Local Group Policy Object->
Logon/Logoff->
Audit Other Login/Logoff Events

计算机配置->
Windows 设置->
安全设置->
高级审计策略配置->
系统审计策略 - 本地组策略对象->
登录/注销->
审计其他登录/注销事件

(In the Explaintab it says "... allows you to audit ... Locking and unlocking a workstation".)

（在“解释”选项卡中，它说“...允许您审核...锁定和解锁工作站”。）

For newer versions of Windows (including but not limited to both Windows 10 and Windows Server 2016), the event IDs are:

对于较新版本的 Windows（包括但不限于 Windows 10 和 Windows Server 2016），事件 ID 为：

• 4800 - The workstation was locked.
• 4801 - The workstation was unlocked.

• 4800 - 工作站被锁定。
• 4801 - 工作站已解锁。

Locking and unlocking a workstation also involve the following logon and logoff events:

锁定和解锁工作站还涉及以下登录和注销事件：

• 4624 - An account was successfully logged on.
• 4634 - An account was logged off.
• 4648 - A logon was attempted using explicit credentials.

• 4624 - 帐户已成功登录。
• 4634 - 帐户已注销。
• 4648 - 尝试使用显式凭据登录。

When using a Terminal Services session, locking and unlocking may also involve the following events if the session is disconnected, and event 4778 may replace event 4801:

使用终端服务会话时，如果会话断开，锁定和解锁还可能涉及以下事件，事件 4778 可能会取代事件 4801：

• 4779 - A session was disconnected from a Window Station.
• 4778 - A session was reconnected to a Window Station.

• 4779 - 会话从 Window Station 断开。
• 4778 - 会话重新连接到 Window Station。

Events 4800 and 4801 are not audited by default, and must be enabled using either Local Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).

默认情况下不审核事件 4800 和 4801，必须使用本地组策略编辑器 ( gpedit.msc) 或本地安全策略 ( secpol.msc)启用。

The path for the policy using Local Group Policy Editor is:

使用本地组策略编辑器的策略路径是：

• Local Computer Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Advanced Audit Policy Configuration
• System Audit Policies - Local Group Policy Object
• Logon/Logoff
• Audit Other Logon/Logoff Events

• 本地计算机策略
• 电脑配置
• 视窗设置
• 安全设定
• 高级审计策略配置
• 系统审计策略 - 本地组策略对象
• 登录/注销
• 审计其他登录/注销事件

The path for the policy using Local Security Policy is the following subset of the path for Local Group Policy Editor:

使用本地安全策略的策略路径是本地组策略编辑器路径的以下子集：

• Security Settings
• Advanced Audit Policy Configuration
• System Audit Policies - Local Group Policy Object
• Logon/Logoff
• Audit Other Logon/Logoff Events

• 安全设定
• 高级审计策略配置
• 系统审计策略 - 本地组策略对象
• 登录/注销
• 审计其他登录/注销事件

Unfortunately there is no such a thing as Lock/Unlock. What you have to do is:

不幸的是，没有锁定/解锁这样的东西。你需要做的是：

1. Click on "Filter Current Log..."
2. Select the XML tab and click on "Edit query manually"

3. Enter the below query:

   <QueryList>
     <Query Id="0" Path="Security">
       <Select Path="Security">
       *[EventData[Data[@Name='LogonType']='7']
        and
        (System[(EventID='4634')] or System[(EventID='4624')])
        ]</Select>
     </Query>
   </QueryList>
   

1. 单击“过滤当前日志...”
2. 选择 XML 选项卡并单击“手动编辑查询”

3. 输入以下查询：

   <QueryList>
     <Query Id="0" Path="Security">
       <Select Path="Security">
       *[EventData[Data[@Name='LogonType']='7']
        and
        (System[(EventID='4634')] or System[(EventID='4624')])
        ]</Select>
     </Query>
   </QueryList>
   

That's it

就是这样

To identify unlock screen I believe that you can use ID 4624. But then you also need to look at the Logon Type which in this case is 7: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624

要识别解锁屏幕，我相信您可以使用 ID 4624。但是您还需要查看登录类型，在这种情况下为 7：http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid =4624

Event ID for Logoff is 4634

注销的事件 ID 为 4634

For Windows 10 the event ID for lock=4800 and unlock=4801.

对于 Windows 10，lock=4800 和 unlock=4801 的事件 ID。

As it says in the answer provided by Mario and User 00000, you will need to enable logging of lock and unlock events by using their method described above by running gpedit.msc and navigating to the branch they indicated:

正如 Mario 和用户 00000 提供的答案中所说的那样，您需要使用上述方法通过运行 gpedit.msc 并导航到他们指示的分支来启用锁定和解锁事件的日志记录：

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies - Local Group Policy Object -> Logon/Logoff -> Audit Other Login/Logoff

计算机配置 -> Windows 设置 -> 安全设置 -> 高级审计策略配置 -> 系统审计策略 - 本地组策略对象 -> 登录/注销 -> 审计其他登录/注销

Enable for both success and failure events.

为成功和失败事件启用。

After enabling logging of those events you can filter for Event ID 4800 and 4801 directly.

启用这些事件的日志记录后，您可以直接过滤事件 ID 4800 和 4801。

This method works for Windows 10 as I just used it to filter my security logs after locking and unlocking my computer.

此方法适用于 Windows 10，因为我只是在锁定和解锁计算机后使用它来过滤我的安全日志。

Security Settings -> Advanced Audit Policy -> System Audit -> Logon/Logoff -> Audit Other Logon/Off Events -> On Success

安全设置 -> 高级审计策略 -> 系统审计 -> 登录/注销 -> 审计其他登录/注销事件 -> 成功

Enables the following:

启用以下功能：

4800 - workstation locked
4801 - workstation unlocked
4802 - screensaver invoke
4803 - screensaver dismissed

Windows 10 professional

Windows 10 专业版