How to Know If Someone Else Is Logging Into Your Windows PC

Do you think someone has been logging into your Windows PC while you were away? If your bloodhound failed to track down the culprit, then we know some handy ways to find out if your PC was accessed or not. They may not have left a physical clue, but there is a good chance they have left evidence in Windows itself. Below we have listed some ways you can check to see if there was any unauthorized access to your Windows account or not.

Let’s start with the basics. If someone has accessed your account, then they must have used it for something. You need to check for changes to your PC that didn’t come from you.

The starting point will be the recent programs that appear in the Start menu. Click on the Start menu, and you will see the most recent programs that were open. You will only see a change if the intruder has accessed a program that you didn’t use recently.  One of the drawbacks is that they can always delete the item from here if they are smart enough. Furthermore, if the recent item view was enabled on your PC, hover your mouse cursor over  the “Recent Items” button on the right side of the Start Menu, and you will see all the files that were  opened recently. The file entry will stay there even if the actual files are deleted.

Someone-Else-using-your-PC-Recent-items

Other common places to look for changes include your browser history, recent documents and the “Programs” option in the control panel for recently added programs.

The above step was just to alert you that something is wrong. Now let’s get serious and dig up some solid proof. Windows keeps a complete record of when an account is logged in successfully and also failure attempts to log in. You can view this from the Windows Event Viewer.

To access the Windows Event Viewer, press “Win + R,” and type eventvwr.msc in the “Run” dialog  box. When you press Enter, the Event Viewer will open.

Someone-Else-using-your-PC-Run

Someone-Else-using-your-PC-Event-Viewer

Here, double-click on the “Windows Logs” button and then click on “Security.” In the middle panel you will see multiple logon entries with date and time stamps. Every time you login, Windows records multiple logon entries within a total time period of two to four minutes. Focus on the time these entries were made. In my example there are multiple logon entries from 4:49 AM to 4:52 AM. This means that I have logged into the account during this period. All previous login entries will also be recorded, so just look for the time when you were away from your PC to see if there is an entry during that period.

Someone-Else-using-your-PC-Time-stamps

If there is an entry, it means someone did access your PC. Windows won’t make fake entries, so you can trust this data.  Additionally, you can also check which particular account was accessed during that period (if you have multiple accounts). To check, double-click on “Special Logon” entry during that period, and “Event properties” will open. Here you will see the name of the account next to “Account Name.”

Someone-Else-using-your-PC-Specific-account-login

Someone-Else-using-your-PC-Account-name

The above method is quite solid for catching the intruder, but if they were smart enough they could have cleared all the event logs. In that case you can set up last login details to show up as soon as the PC starts. This will show you when the account was last logged in and any failed attempts. This information cannot be deleted, but it will only help you for future unauthorized access as you will be setting it up right now.

You will be editing the Windows Registry for this, so make sure you create a backup of it. Press “Win + R” and enter regedit in the Run dialog box to open the Windows Registry.

In the Registry you need to move to the below-mentioned location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Now right click on “System” folder and select “DWORD value” from the “New” option. An entry will be created ready to be renamed; you need to name it “DisplayLastLogonInfo.”

Someone-Else-using-your-PC-DWORD-Value

Someone-Else-using-your-PC-Display-Information-on-Login

Double-click on this entry, and set its value to “1.” Now whenever you (or someone else) log in to your PC, you will first see when you last logged in and any failed attempts.

Someone-Else-using-your-PC-DWORD-Value-1

The above methods should be able to tell if your PC was accessed by someone else. However, they will not tell you “who” actually accessed your account. So yes, you will still need that bloodhound to track down the intruder. If you know any other ways to find out if someone is logging into your Windows PC behind your back, share with us in the comments below.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.