Very often we share login credentials of our Windows PCs with others, just to let them access it for a limited period of time or due to some other unavoidable reason–and forget to change the password. Without a doubt, it’s a very poor security practice.
This also makes us wonder how can we know if something is being done to our computers in our absence. To accomplish this task, one can use the inbuilt Windows Event Viewer feature. It’s useful for system error logging, warnings, and informational events etc. However, very few people know about it.
Whenever a Windows user starts a program on a PC, it posts a notification in an Event Log. It also records every hardware glitch, driver issue, security changes, system access, etc. It’s basically a database that keeps recording all the significant system activities in the form of simple text files.
In this article, I’ll tell you how to find if someone logged into your computer at a given time.
How to start Event Viewer in Windows PC?
To start Event Viewer in your Windows 7 and 8.1, you need to click the Start Button and open the Control Panel. Now find the System and Maintenace option and click on it. There, you’ll find Administrative Tool which will contain Event Viewer.
On Windows 10, one can simply type Event Viewer in the desktop search box. Alternatively, one can use Windows+X+V key to launch the program.
Another way to open the Event Viewer to find if someone logged into your computer at a given time is by using the Run dialog. To do this, press Windows+R key. It will open Run dialog. Now type eventvwr and click OK.
How to find if someone logged into your computer without permission?
Now, after opening Event Viewer in your Windows PC, you need to locate Windows Logs > System. In the middle pane, this will open a list of the events that took place when Windows system was running. The events might take a couple of moments to populate.
Here, click on any row in the middle pane to open a new pop-up with the information about that particular event. Now, to find out if someone logged into your PC, you need to sort this data.
To do this, click on the Filter Current Log button in the right pane. Firstly, make sure that Event logs field shows System. Secondly, make sure that User field shows <All Users>.
As shown in the screenshot, enter event IDs 6005 and 6006 in the empty field. This will filter the System events.
You can see the start-up and shut down time in the Date and Time column. Here, Event ID 6005 means “The event log service was started” (i.e. start-up time) and 6006 means “The event log service was stopped” (i.e. shut down time).
You can also use the Custom view option if you wish to check this data regularly.
Did you find this tutorial on how to use Event Viewer to find if someone used your computer without your knowledge helpful?
IT Security Professional – Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester.