In this post, we will show you how to use Event Viewer to check for unauthorized use of a Windows computer. While Windows Event Viewer comes across as a useful tool for viewing event logs and fixing problems & errors with Windows and other programs, it can also be used as a monitoring tool for tracking trespassers.
Often, the program displays errors, warnings, and significant system events on your computer, but that is not the sole purpose it is built for. Of course, this will be useful only if you are a single user, and as a result of which you have chosen not to password-protect your Windows login. Let’s see how we can see the logins using the Event Viewer in Windows 11/10.
Use Event Viewer to check unauthorized use of computer
Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. To use Event Viewer to check unauthorized use of your computer, follow these steps:
Press Win+X in combination on your Windows 11/10 PC to bring up the ‘Power User Menu’. From the options displayed, select ‘Event Viewer‘.
To view events that have occurred on your computer, select the appropriate source in the custom tree. So, in the left pane of the Event Viewer screen, click the drop-down arrow adjacent to the “Windows Log” folder and choose the ‘System‘ icon.
Next, right-click on System and choose Filter Current Log.
Then, from the window that is displayed on your computer screen, search for the Event sources drop-down. Choose Power-Troubleshooter from this dropdown and hit OK.
Finally, check the middle pane of the Event Viewer window. You should notice all the applicable recent events. These events are shown in descending order of time.
Simply check the time you suspect your computer was used, and see if there were any events then. If there are, you can click on them to view more details. These details are displayed in the bottom middle pane.
You can by the way also check the Security logs for log-on and log-off events.
Related reads that are sure to interest you:
- How to view and delete Event Viewer Saved Logs in Windows
- How to view Event Logs in Windows in detail with Full Event Log View
- How to create Custom Views in Event Viewer on Windows
- Event Log Manager Free event log management software
- Monitor Windows Event Log Files Checking with SnakeTail Windows tail utility
- Event Log Manager & Event Log Explorer software.
What is the event ID for unauthorized logon?
The event ID for an unauthorized logon attempt in Windows is 4625. It indicates a failed attempt at logging on to a local computer and is logged in the Security log of the Event Viewer. Event ID 4625 provides information about the account that requested the logon, logon type, IP address and port number of the machine from which the logon attempt originated, failure reason and status code, and other important information that helps administrators identify malicious activity on their network. By monitoring Event ID 4625, you may detect and investigate unauthorized login attempts and effectively protect your system from brute force attacks, credential stuffing, or account enumeration.
What is event ID 4673?
Event ID 4673 indicates that a privileged service was called in the Windows Security Log. The event is generated when privileges like SeSystemtimePrivilege, SeCreateGlobalPrivilege, or SeTcbPrivilege are used. It provides essential information about the user, service, and process involved, allowing administrators to ensure that only authorized users and processes are performing privileged operations on the system. The event ID also helps in identifying potential misuse of privileges, such as unauthorized attempts to use administrative rights.
