Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can I tell when someone logged into my machine, and what they did?

Question:

I suspect that somebody has attempted to access my computer when I
was thoughtless enough to leave it physically unsecured for some time.
(I've now read your article on securing and will comply in the future.)
Is there any way of checking to see times and dates of when the
computer was booted and if files have been copied off your computer?
Date and time of when the file in question was copied last, if at all?
I know when the laptop (Dell Inspiron 9100) was unsecured so if this
type of information is logged somewhere on the (C:) or elsewhere I'd be
able to know if someone other than myself used my computer.

Yes, we can probably tell when your computer was booted, and even
when it was logged into.

But no, we can't tell what that person did once they were logged in;
at least not to the granularity that you're looking for.

]]>

I'm going to use Windows Vista examples to describe what we can look at, but Windows XP is very similar - perhaps even simpler.

First, click on Start and then Run (or type Windows Key + R), and enter "eventvwr":

The Vista Start/Run dialog

Press OK to start the Windows Event Viewer.

Windows Event Viewer (Vista)

Now, the event viewer is an fairly complex and even intimidating beast. It doesn't help that most applications that log events don't do so in a very friendly, or even useful way. However, we can focus on a couple of things to get the information we're looking for.

Start by expanding the "Windows Logs" items on the far left, so that the specific logs are visible:

Windows Event Viewer, Log List

Now click on Security. It revealed a list of logs, and you'll see a list of security related events that have occurred on your machine:

Security Log in Event Viewer

In the example above, you can see that I've highlighted an event logged when I logged into my own machine. In fact, if you look closely you can see that I logged off at 4:02 AM (when this machine automatically reboots each night), and logged on at 8:47 AM, shortly after getting up.

Warning: there's a ton of noise in the event log. In particular you'll see lots of logins by "Anonymous" as well as other activity. This is expected, and does not imply that anything malicious is happening. This is one of the huge problems with the event log that I alluded to earlier - there's often a lot of information in it that is confusing and misleading - even to the people that are supposed to understand it. Don't panic if you see something you don't understand, it's likely to be totally benign.

But now you can at least see when your machine is being logged into. If you weren't around at the time ... well, that may tell you something.

Unfortunately, without additional logging software or settings, that's about all you can tell after the fact. There's no way to know if files were copied, opened or altered, for example. You might get lucky and notice it on a recently opened documents list, but that's only if the document were opened in a way that would add it to that list - copying doesn't count. The file system might keep a "last accessed" date and time, but any access - read, copy, open, whatever - will reset that information (and keeping this information is also occasionally disabled for performance reasons).

The only sure way to track things to this level of detail is actually to install spyware on your own machine. Parental tracking and control software is a common approach.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “Can I tell when someone logged into my machine, and what they did?”

  1. Can`t one use a keylogger to tell what was done while one is away from one`s machine?

    If so,what is the best keylogger?

    Reply
  2. Windows XP does not have the ‘login’ list.

    Additionally, the ‘history’ may not even list the last 24 hours, depending on YOUR activities.

    Security lists only log off/log on when switch uses is activated not a straight turn on computer -> log on.

    Reply
  3. in XP (when suspicious) I’ve used command “net user ” to check when last log on occurred.
    Good Luck and happy learning
    YALTERS

    Reply
  4. you may get a few more details of what they did if they didn’t try to cover their tracks

    1, Check recent documents and you may see the names of any files created.
    2. Check the browsed cache to see which web sites they visited (the time of the files will make it easy to see if they were downloaded when you weren’t using your machine.
    3. I use Total Commander (plug for a great utility) but there are lots of other options and can search my computer for any files created between certain times.

    Reply
  5. It’s going rather far, but if you’re really suspicious, you can write a teensy little batchfile that’ll write the current date and time to a designated textfile. For example (but mind you, this is just off the top of my head):

    @echo off
    echo %DATE%%TIME% > C:\[Put-Your-Desired-Path-Here]\xxx.txt
    exit

    …You save this somewhere inconspicuous with a name ending in *.BAT (for example, “Hello.BAT”), and put a shortcut to that batchfile (make sure it runs minimized!) in your “startup” folder.

    Now, anytime anyone logs on, the date and time of the latest login will be stored to that text file. (If you want a running list of logins, put a “>>” before the filename — that is, use two, instead of just one, “greater-than” — to signal an “append” as opposed to an “overwrite” operation.)

    The downside is that the title of the batchfile itself will be visible, very briefly, in the Windows Taskbar during each login, and if your interloper is suspicious, he can trace your little logon-tracker without too much effort. Naming your batchfile something innocuous should go a long way to allaying such suspicions.

    Hope this helps, and good luck!       :)

    Reply
  6. What about using Start>Search>For Files or Folders and searching all files and folders created/opened that day (then sorting chronologically)?

    Sure. Assuming that she didn’t clean up after herself, that is. Problem is … you just don’t know.

    – Leo
    15-Jun-2009

    Reply
  7. Thanks for this, but when I click on “Security”, the logs are empty. So I assume either someone erased them (but why would he erase ALL the logs, not just his), or my omputer is set to not track logs. If that’s the case, how do I activate log tracking?

    Thanks.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.