4800 The workstation was locked
Written when a workstation (screen) is locked. It is a supporting event for understanding a user’s presence and the session usage window.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated when a user locks the screen (Win+L, lock on inactivity, and so on). Paired with unlock 4801, it tracks the present/away flow.
How it is triggered
- A manual lock (Win+L), or an automatic lock by screen saver or inactivity timeout.
Security review points
- Lock/unlock patterns help establish the hours when an account is actually used by a person. If there is activity (logons or access) under that account during a time it should be locked, it gives cause to suspect use via another path.
- Its standalone security priority is low, but it can reinforce the timeline of an interactive session.
Notes for log review
- It occurs in large volume daily. Rather than reading it alone, use it to build a presence timeline together with unlock 4801, logon 4624, and logoff.
- Know the normal usage patterns per machine and per account.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The account that locked the screen |
Session ID | The target session |