Windows Security Event Log - How To Determine Who and When Someone Logged into a PC

Windows Security Event Log - How To Determine Who and When Someone Logged into a PC
Page content

Why Audit Logon Times?

As a home user, you may be interested in knowing if anyone is using your computer while you’re away. Using the Security Event log is a powerful and easy way to track this information. Base installs of Windows XP and Vista don’t have security logging turned on by default, so this article will walk you through enabling auditing and interpreting the results.

Windows XP - Enable Security Auditing

The first step is to make sure you have security auditing enabled on your PC.

  1. Go to Start → Run
  2. Type “secpol.msc” in the Run Window. Hit ENTER.
  3. The Local Security Settings Window should open.
  4. In the left-hand window browse to Security Settings → Local Policies → Audit Policy.
  5. In the right-hand window double click the “Audit logon events” policy.
  6. In the properties window that opens, select both the “Success” and “Failure” checkboxes.
  7. Click OK.
  8. Reboot your PC.

Note: You can enable auditing on the “Audit account logon events” policy, but this will only have an effect on computers joined to a domain. This is not needed for most home users.

Windows XP - Viewing the Security Events

After your computer has rebooted you will want to verify that the auditing is working.

  1. Open up the Security Event Log by going to Start → Settings → Control Panel.
  2. Double click on Administrative Tools.
  3. Double click on Event Viewer.
  4. In the left-hand pane, click on the Security event log. You should now see several events appear in the right-hand pane.

When looking for logon times, you will want to look under the “Event” column for 528. You can then double click on the event and you will be able to see the date, time and user who logged in.

As you can see in the picture below, the user that logged in was “Administrator”. The user logged in at approximately 8:26pm on 02/10/2009.

Event ID 528 - Logon

The other interesting piece of information you can glean from the event log is the type of logon - was it someone unlocking your machine, logging in remotely, or logging in directly at the console? In the screenshot below, you can see the logon type was “2”. Using the table below, you can see this type of logon corresponds to a logon at the console.

Common Logon Types:

2 - The user logged in at the console

7 - The user unlocked the computer

10 - The user logged in remotely - via Remote Desktop or Remote Assistance

Windows Vista - Enable Security Auditing

The process for enabling security logging on a Windows Vista machine is similar to that of Windows XP.

  1. Click on the Vista Start button.
  2. Type “secpol.msc” in the Start Search menu. Hit ENTER.
  3. The Local Security Policy Window should open.
  4. In the left-hand window browse to Security Settings → Local Policies → Audit Policy.
  5. In the right-hand window double click the “Audit logon events” policy.
  6. In the properties window that opens, select both the “Success” and “Failure” checkboxes.
  7. Click OK.
  8. Reboot your PC.

Note: You can enable auditing on the “Audit account logon events” policy, but this will only have an effect on computers joined to a domain. This is not needed for most home users.

Windows Vista - Viewing the Security Events

After your computer has rebooted you will want to verify that the auditing is working.

  1. Open up the Security Event Log by going to Start–> Control Panel.
  2. Double click on Administrative Tools.
  3. Double click on Event Viewer.
  4. In the left-hand pane, click on the Security event log. You should now see several events appear in the right-hand pane.

When looking for logon times, you will want to look under the “Event” column for 4624. Note that this is a different Event ID from the one Windows XP uses to track logon events. You can then double click on the event and you will be able to see the date, time and user who logged in. You may find it easier to look for specific events by using the built in Filtering options.

As is in Windows XP, you can determine how the user logged into the computer by examining the Logon Type. The logon type “codes” are the same for both Windows XP and Vista.

Common Logon Types:

2 - The user logged in at the console

7 - The user unlocked the computer

10 - The user logged in remotely - via Remote Desktop or Remote Assistance