Troubleshooting Logon Issues with WinLogOnView

Troubleshooting Logon Issues with WinLogOnView

What WinLogOnView shows

• Fields: Logon ID, User Name, Domain, Computer, Logon Time, Logoff Time, Duration, Network Address, Logon Type.
• Data sources: Local computer, remote computer (with credentials), or external disk (reads Security.evtx / archive logs).
• Export: HTML, XML, CSV/tab-delimited, text; command-line save options available.

Quick diagnostic checklist (step-by-step)

1. Run WinLogOnView (no install required).
2. Select data source: Local by default; use Advanced Options (F9) for remote or external disk.
3. Filter by user / time / computer: Sort or use search to narrow to the failing account/time.
4. Confirm logon events exist: Look for matching Logon ID and Logon Time entries. If missing, the OS may not have generated security events—check audit policy.
5. Check Logon Type:
   • 2 = Interactive (console)
   • 3 = Network (e.g., SMB)
   • 10 = RemoteInteractive (RDP)
     Mismatch vs expected method indicates wrong authentication path.
6. Correlate logoff/duration: Missing logoff time can indicate abrupt session termination or no recorded ⁄₄₆₃₄ events—inspect nearby events.
7. Use External/Archive logs if needed: If you suspect older events were archived, load the Security.evtx from C:\Windows\System32\winevt\Logs or from an external disk.
8. Check network address: If authentication comes from another host, note its IP/name for lateral-troubleshooting.
9. Export results: Save filtered sessions to CSV/HTML to share with IT or analyze in Excel. Use command-line options for automation.
10. If WinLogOnView shows nothing or errors:
    • Enable “Use New Event Log API” in Advanced Options.
    • Ensure you have admin rights and sufficient permissions to read the Security log.
    • For remote queries, provide correct credentials and ensure remote Event Log service access and firewall rules permit RPC/WMI or the used API.
11. Follow-up with Event Viewer / Microsoft guidance: If WinLogOnView indicates missing or problematic events, open Event Viewer -> Windows Logs -> Security (and Application/Service logs like User Profile Service) to inspect error/warning event IDs and diagnostic logs.

Common causes & fixes

• Insufficient audit policy: Enable “Audit Logon/Logoff” (Success/Failure) in Local/Group Policy.
• Permissions: Run as admin or use credentials for remote computer.
• Event log archival/size limits: Configure log retention or load archived EVTX files.
• Time skew / DST issues: Ensure system time is correct across machines.
• Remote access blocked: Open required firewall ports and enable remote event log access.
• Corrupted event log