How to find or check windows 10 user login history ?

👤 Diwas Poudel    🕒 Dec 9 2019    📁 Fix    📜 0 comment

Check window 10 user login history

Do you know we can find out who was login into our windows 10 system when we are away?surprised When someone logged into the system then there logged information will be stored in the windows 10 system.

In windows 10 there is the "Auditing logon events" policy to track both local and network success and failed login attempts and resources access information. User's attempts to logged-in information can be seen using the event viewer.

Before going to check window 10 user login history , let us learn about Event Viewer.

Event Viewer is especially useful for troubleshooting Windows and application errors.

Note that :

a) Logon auditing will only work on your Windows Professional, so if you have a home edition of windows, you can't use it.Here, in this article, I am using windows 10 Professional Editions.

b) We can't tell you "who" actually logged in the system but can actually tell you at what time and date login is done.

So without wasting time lets check windows 10 user login history step by step:

Step 1 ) Open Event Viewer

Click on the start button and type "Event Viewer" in the search box and you will see Event Viewer at the top of the list. Then click on Event Viewer.


You will get Event Viewer Windows as shown below.

2)Accessing Logging History List

Then on the left pane, double click on "Windows Logs".There you will find 5 lists. Among them just click on "Security", which is in the second position from the top.

3)Finding actual login information ID

Then on the middle pane, you will get the list of events related to user logged and resource access information.Therefrom top start searching event with Event ID 4624, which is actually user logon event ID.If you find multiple 4624 ID that means your system is logged On many times.

4)Finding Details of login information

Just click on that row (rows having Event ID 4624) you will find login information at the bottom of the same window.

 Showing the main information in the general section as below:

	Security ID:		SYSTEM
	Account Name:		DESKTOP-9SHPG17$
	Account Domain:		WORKGROUP
	Logon ID:		0x3E7

Logon Information:
	Logon Type:		5
	Restricted Admin Mode:	-
	Virtual Account:	No
	Elevated Token:		Yes

The user who logged in can find out from Account Name and Account Domain.

Security ID: This is the SID of the account.

Account Name: Logon name of the system.

Account Domain: Domain name of the account. In the case of local accounts, it is just computer name.

Logon ID: It helps to identify the login session.

Login Type: Login Type shows how user login. There are altogether 9 different types of login. Here, Login Type is 5  which is just a service logon, which occurs when services and service accounts log on to start a service.

Restricted Admin Mode: Here we have "-". We will find "yes" instead of "-" only for login Type: 10 (RemoteInteractive logon) this is when Remote Desktop Connections is made. In our general local system we have "-". Restricted Admin mode is for safeguarding against "pass the hash" attacks.


Detail Information is shown below:

- System 

  - Provider 

   [ Name]  Microsoft-Windows-Security-Auditing 
   [ Guid]  {54849625-5478-4994-a5ba-3e3b0328c30d} 
   EventID 4624 
   Version 2 
   Level 0 
   Task 12544 
   Opcode 0 
   Keywords 0x8020000000000000 
  - TimeCreated 

   [ SystemTime]  2019-12-17T15:45:48.912281500Z 
   EventRecordID 934340 
  - Correlation 

   [ ActivityID]  {3b9a6bd1-b09b-0000-846c-9a3b9bb0d501} 
  - Execution 

   [ ProcessID]  776 
   [ ThreadID]  15784 
   Channel Security 
   Computer DESKTOP-9SHPG17 

- EventData 

  SubjectUserSid S-1-5-18 
  SubjectUserName DESKTOP-9SHPG17$ 
  SubjectDomainName WORKGROUP 
  SubjectLogonId 0x3e7 
  TargetUserSid S-1-5-18 
  TargetUserName SYSTEM 
  TargetDomainName NT AUTHORITY 
  TargetLogonId 0x3e7 
  LogonType 5 
  LogonProcessName Advapi  
  AuthenticationPackageName Negotiate 
  WorkstationName - 
  LogonGuid {00000000-0000-0000-0000-000000000000} 
  TransmittedServices - 
  LmPackageName - 
  KeyLength 0 
  ProcessId 0x2f4 
  ProcessName C:\Windows\System32\services.exe 
  IpAddress - 
  IpPort - 
  ImpersonationLevel %%1833 
  RestrictedAdminMode - 
  TargetOutboundUserName - 
  TargetOutboundDomainName - 
  VirtualAccount %%1843 
  TargetLinkedLogonId 0x0 
  ElevatedToken %%1842