Monitor Event Logs for Events
After your computer has rebooted you will want to verify that the auditing is working.
- Open up the Security Event Log by going to Start → Settings → Control Panel.
- Double click on Administrative Tools.
- Double click on Event Viewer.
- In the left-hand pane, click on the Security event log. You should now see several events appear in the right-hand pane.
When looking for logon times, you will want to look under the "Event" column for 528 (or 4624 for Windows Vista). You can then double click on the event and you will be able to see the date, time and user who logged in.
As you can see in the picture below, the user that logged in was "Administrator". The user logged in at approximately 8:26pm on 02/10/2009.
The other interesting piece of information you can glean from the event log is the type of logon - was it someone unlocking your machine, logging in remotely, or logging in directly at the console? In the screenshot below, you can see the logon type was "2". Using the table below, you can see this type of logon corresponds to a logon at the console.
Common Logon Types:
2 - The user logged in at the console
7 - The user unlocked the computer
10 - The user logged in remotely - via Remote Desktop or Remote Assistance
11 - The user logged in while using cached domain credentials.