The Dangers of Deleting Microsoft Visual C++ Redistributable Libraries
🕤 26 May 2023 Read more
Check window 10 / 11 user login history
Do you know we can find out who was login into our windows 10 / 11 system when we are away? When someone logged into the system then their logged information will be stored in the windows 10 / 11 system.
In Windows 11 or Windows 10, there is the "Auditing logon events" policy to track both local and network success and failed login attempts and resource access information. Users' attempts to logged-in information can be seen using the event viewer.
Before going to check the window user login history, let us learn about Event Viewer.
Event Viewer is an auditing feature that allows administrators to configure windows systems to record day-to-day activity perform on operating system activity in the security log. So in short Event Viewer is especially useful for troubleshooting Windows and application errors and security.
Also Read: computer/laptop port with function explained
The categories of events that can be logged are:
- Directory service access
- Account logon events
- Account management
- Privilege use
- Object access
- Logon events
- System events
- Policy change
- Process tracking (source: Wikipedia )
Note that :
a) Logon auditing will only work on your Windows Professional, so if you have a home edition of windows, you can't use it. Here, in this article, I am using windows 10 Professional Editions.b) We can't tell you "who" actually logged in to the system but can actually tell you at what time and date login is done.
So without wasting time let's check windows 10 user login history step by step:
1. Windows 10 / 11 user login history using Event Viewer
Step 1 ) Open Event Viewer
Click on the start button and type "Event Viewer" in the search box and you will see Event Viewer at the top of the list. Then click on Event Viewer.
You will get Event Viewer Windows as shown below.
2)Accessing the Logging History List
Then on the left pane, double-click on "Windows Logs".There you will find 5 lists. Among them just click on "Security", which is in the second position from the top.
3)Finding actual login information ID
Then on the middle pane, you will get the list of events related to the user log and resource access information. This list is sorted by Date/Time. Therefrom top start searching events with Event ID 4624, which is actually the user logon event ID. If you find multiple 4624 IDs that means your system is logged On many times.
4)Finding Details of login information
Just click on that row (rows having Event ID 4624) you will find login information at the bottom of the same window.
Showing the main information in the general section as below:
Subject: Security ID: SYSTEM Account Name: DESKTOP-9SHPG17$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes
The user who logged in can find out from Account Name and Account Domain.
Security ID: This is the SID of the account.
Account Name: Logon name of the system.
Account Domain: Domain name of the account. In the case of local accounts, it is just a computer name.
Logon ID: It helps to identify the login session.
Login Type: Login Type shows how the user login. There are altogether 9 different types of login. Here, the Login Type is 5 which is just a service logon, which occurs when services and service accounts log on to start a service.
Restricted Admin Mode: Here we have "-". We will find "yes" instead of "-" only for login Type: 10 (RemoteInteractive logon) this is when Remote Desktop Connections is made. In our general local system, we have "-". Restricted Admin mode is for safeguarding against "pass the hash" attacks.
Importance of Event IDs and their purpose
| Event Id | Purpose |
| 4624 | A successful account logon event |
| 4625 | An account failed to log on |
| 4648 | A logon was attempted using explicit credentials |
| 4634 | An account was logged off |
| 4647 | User-initiated logoff |
| 4694 | Special groups have been assigned to a new logon |
| 6005 | Startup event |
Detail Information is shown below:
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}
EventID 4624
Version 2
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2019-12-17T15:45:48.912281500Z
EventRecordID 934340
- Correlation
[ ActivityID] {3b9a6bd1-b09b-0000-846c-9a3b9bb0d501}
- Execution
[ ProcessID] 776
[ ThreadID] 15784
Channel Security
Computer DESKTOP-9SHPG17
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName DESKTOP-9SHPG17$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName -
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x2f4
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
ImpersonationLevel %%1833
RestrictedAdminMode -
TargetOutboundUserName -
TargetOutboundDomainName -
VirtualAccount %%1843
TargetLinkedLogonId 0x0
ElevatedToken %%1842
Using Custom Filter
As you have seen, Event Viewer keeps large log records and it is difficult to find a particular event ID. But don't worry there are filter features with the help of which we can list only particular Event ID data.
- To create the filter, right-click on "Custom Views" and select the "Create Custom View" option from the list.
- Once Create Custom View window opens, look at the "Logged" section and pick a time range.
- Then, Check the By log option Use the down menu of "Event logs" and choose "Security" under "Windows Logs".
- Then, type 4624 in "All Event IDs".
- Click on "Ok".
In the next window, give the name of your custom filter name and click Ok. Here, we have given the name: " ".
- Then on the next screen, look at your filter name under "Custom Views".Click on it and you will get your login attempts(Id: 4624 only ) which you have set in earlier steps.
2. Check Windows 10 / 11 User Login History Using Powershell
We can search for a particular event log using Powershell. For this to work you must run PowerShell with admin privilege.
Steps:
- Run Powershell with admin right.
- Then paste the below code in PowerShell.
Get-EventLog security | Where-Object {$_.TimeGenerated -gt '2/10/20'} | Where-Object {($_.InstanceID -eq 4634) -or ($_.InstanceID -eq 4624)} | Select-Object Index,TimeGenerated,InstanceID,Message
Also, you can use the following Powershell Script:
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624}
Here "Get-WinEvent -FilterHashtable @Logname='Security';ID=4624" searches the "Security" event log for events with ID 4624.
Exporting the above records in CSV File
Here is the script:
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624} | Export-CSV D:\UserLoginHistory.csv
The output of the user login log is exported here using the "Export-CSV" command, and the resulting CSV file can be opened in Excel or another program of your choosing. In this particular instance, we are exporting the output to a file known as "UserLoginHistory.csv," which can be found on the drive designated by the letter D.
3. Check Windows 10 / 11 user login history Using Third-party Tools
Native audit logs are hard to understand and too complex to audit manually, Also using windows default audit log is irrigating and has to follow step by step to find the desired audit log information of the particular users at a particular time. So, using the below tools you can log hundreds of logon and logoff events information. So without delay give a try to these tools.
a) TurnedOnTimesView :(Download : click here )
It is a tool that shows Windows 11/10 / 8 / 7 2008 / Vista logon / Logout times to users. It is developed by Nir Sofer.
b) LastActivityView : (Download: click here )
It is a simple tool for analyzing the operating system log and detecting the time range the computer is on. It is developed by Nir Sofer.
c)Event Log Explorer: (Download: click here )
Event Log Explorer is a software solution that allows you to view analyze and monitor events that are registered in Microsoft Windows event logs. The Event Log Explorer simplifies and speeds up event log review (safety, program, device, installation, directory service, DNS, and others) greatly.
d)ADAudit Plus
This software can do active directory auditing, user login /logout auditing, and file server auditing. It does enterprise-wide auditing.
e)LepideAuditor (Visit here)
The report details logon and logo-off events including when from the what computer and when users are logging in. You get reliable and immediate login details reports of network users as well.
f) UserLock (visit here)
UserLock tracks, records, and reports on all user connection events to provide a central audit across the whole network system— far beyond what Microsoft includes in Windows Server and Active Directory auditing.
g) WinLogOnView
WinLogOnView is Windows Event Logging software for Windows 7/Vista/8/10 OS that analyses the security event of the OS and finds who has logged on and off on the basis of data/time. Information like Logon ID, User Name, Computer, Domain, Login/Logoff Time, Duration, and network address are logged. This information later can be exported to CSV, HTML, XML, and tab-delimited files.
h) Netwrix Auditor
Netwrix Auditor is also an IT auditing solution that enables firms to monitor, manage, and evaluate changes made to their key systems and sensitive data of an organization.
Check Windows login History if Cleared all Logs
If someone who login into your system knows about Event Viewer then he/she will clear all event viewer logs and you will not able to find who has login before. If that is the case then you can set up the last login details when the system starts.
Warning: Use Registry at your own risk.
Steps:
1 Press Win + R key combination from the keyboard Type: regedit and press Enter.
2 Click on "Yes"
This will open Registry Editor.
3 Paste the below path in the registry search field
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
4 Right-click on System > New > DWORD (32-bit) Value
5 Rename that New Value to "DisplayLastLogonInfo"
6 Double Click on "DisplayLastLoginInfo" and set the value to "1".
7 Close the registry
If you want to see the effect, just restart your PC, and just after successfully login in, you will see the message as shown below.
You will get both Successful as well as Unsuccessful Sign-Attempt info as shown above.
To disable this, just delete the "DisplayLastLogonInfo" value or you can just set that value of "DisplayLastLogonInfo" to "0"
FAQs
How to find out the last 5 login histories in windows 10 and 11?
We can use Powershell to find out the last 5 login histories and cmdlets are follows:
Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-5) -ComputerName $env:computername
How to find the Last Login History of a Particular User?
Ans: You can view a user's last login history by using the net user command in the command prompt, as shown below.
Type net user in the command prompt. This will list all users. In my case, I have an Administrator and poude user.
net user
Then type:
net user administrator | findstr /B /C:"Last logon"
where an administrator is a user and you can clearly see the Last login date and time. Replace any user displayed via the net user command and see the result.
If the user has no logon history, it will show "Never" instead of the logon date and time, as shown below.
1) Open Event Viewer directly from Run command?
Ans: Press Windows + R then type: eventvwr.msc
.jpg)
.jpg)
.jpg)
-(1).jpg)
-(1).jpg)
-(1).jpg)
-(1).jpg)
.jpg)
.jpg)
