If we suspect that third parties have been able to access our computer without our permission, we can find out through the Event Viewer tool. And it is that, in general, although they have not left physical evidence, it is possible that they have left their mark through the Windows 10 and Windows 11 registries, so we can verify it.
And it is that the Microsoft operating system has a series of functions that allow you to monitor the audits that record everything that happens on the computer, such as errors, security problems or the logins that are made in it. Therefore, we can have access to a history where we can check with certainty the dates, time and user in which a user has accessed by logging in.
How to enable history tracking
In general, this policy must be enabled by default on our Windows 10 or Windows 11 computer, although there may be cases where it is not possible to see the logon history of users because this policy is disabled. This problem occurs especially in the Pro versions of Windows, so it will be necessary to enable it manually.
This task must be carried out from the Local Group Policy Editor, which we can do by pressing the keyboard shortcut Windows + R and typing gpedit.msc. Finally, we press Enter or the Accept button to confirm the action. Once it appears on the screen, navigate to the next location
Configuración del equipo / Configuración de Windows / Configuración de seguridad / Directivas locales / Directiva de auditoría
Later we double click on the entry «Audit login events«. In the new window, within the Local Security Configuration section, we must mark the “Correct” and “Wrong” boxes. Finally, we click on Apply and then OK to save the changes made. Once this is done, we restart the system and we will be able to track the user’s login history.
Check your login history
The tool that we will use to verify the login history is the Event Viewer, which is included by default in Microsoft’s operating system. It displays a log of system and application messages, including errors, information messages, and warnings. To access it, press the keyboard shortcut “Windows + R” and the Run command will be launched. Here we write eventvwr.msc and we click OK.
Once we have accessed we must look at the left column where we must expand the option “Windows Registries”. Within the options that appear we will select «Security», in this way we will access the «Login history». Here we will see a list of events at the top. These are listed by date and time. We see that there are also other columns such as «Origin», «Id. of the event “and” Category of the task “.
Locate the event
The section that interests us is the «Id. of the event », where we must look for the tickets with the number 4624 which corresponds to the user’s login. In the event that we see several events with that numbering, it means that different starts have occurred. We can find out everything related to this information by clicking on the “Details” tab at the bottom. From here we can see all the information collected about the user’s login.
This event will be in charge of registering each successful login attempt that has been made on our computer. It includes critical information about the type of login (interactive, batch, network or service), SID, username, network information, among other details. Therefore, monitoring this event is essential, since all the information about the type of login is not found on the domain controllers.
Apply filters for details
It is possible that if we are not familiar with the effects viewer we find that there is too much redundant information, difficult to understand or it simply collapses and surpasses us. To prevent this from happening to us, it is possible to apply filters. In this way, since we are interested in the ID 4624 related to the logins, we can apply filters so that we can more comfortably follow the information that interests us.
This is something that we can do easily from the “Event Viewer” itself. To do this, we look at the column on the right, called “Actions.” Here, in the “Security” section, click on the option “Create custom view”. Once this is done, a new window will appear, where we must mark the “By registration” box. Right next to it, in “Event logs”, we must leave “Security” selected.
Just below, we must replace the label of «All id. Event ”, for which we are currently interested, which is 4624. At the top where it says“ Registered ”, we can indicate the time from which we want to filter. It can be at any time, or it can be replaced by the last hour, last 12 hours, last 24 hours, last 7 days or last 30 days. We can even establish a custom interval, from the first event to the last, with the date and time range that we need. In this way we can carry out a more personalized search in a time slot and days.
Once finished, press the “Accept” button, which will cause a new window to appear where we can give a name and a description so that we can locate it later without difficulty. We can also select where we want the customizable view to be saved, either within the “Custom Views” folder or another alternative that we create. Finally, click on OK to save the changes with the new filter created.
Next, the registration history appears with all the information that we have filtered corresponding to the event id that we have selected. We check that we can see all the dates and times about logins that occurred in the selected period.