[Who logged on to my computer? How to view Windows event logs?

Source: Internet
Author: User

[Who logged on to my computer? How to view Windows event logs?

Source: Data Security and forensics (ID: Cflab_net)

Original: Wendy


In addition to your Mac laptop, Wendy also has a Windows desktop. There is nothing to do with your laptop, but recently I feel that every time I open a Windows desktop at work, it is different from the time I left the previous day! However, it is not good to ask questions everywhere. You only need to do it yourself ?.

Fortunately, it is not difficult. If you have such doubts, come and try again with me! Check if anyone has ever logged on to our computer.


Body


We all know that any computer activity leaves traces, which is why we can collect computer evidence. Today I will share with you a simple method to show you how to view the computer logon status.

1. Right-click "my computer", select "manage", and open "Event Viewer". Alternatively, press the Windows key + R key and enter "eventvwr. msc" to open "Event Viewer 」.



2. In the Event Viewer window, expand the Windows Log and select security. The logon log is displayed.


3. You will see a list in the window, including "keyword", "date and time", "Source", "event ID", and "task category ".


Every time a user performs some operations, the audit log records an audit item. We can review the successful and failed attempts in the operation.

Security Audit is extremely important for any enterprise system becauseAudit logs to record security violations.If an intrusion is detected, the audit log generated by the correct audit settings can contain important information about the intrusion..

We can see that the taskbar shows a lot of time-related information: Logon Time, exit time, and other details.

4. filter the event ID 」. There is a filter in the right column of the window. We can filter log records purposefully based on our own situation.


In my case,The event ID is "4624", which indicates successful login.


In logs, different logon conditions have different event ID numbers. For example, "4672" indicates logon with special permissions. These numbers are specified, you can check it yourself.

5. view the details of a logon record. Click "details" to view "friendly View", for example:


You can also view the "XML" View:



These two views contain a lot of information! Each piece of information has a specific meaning, and what I want to share in this article is"Logon Type", that is, the Logon Type,By using the logon type, we know the logon status.

As shown in"LogonType 5"What does it mean? Let's look at a table.


In this table, different numbers correspond to different types of logon, and LogonType 5 indicates that the background service of the computer has logged on with my account.

In addition, I found many logon types on my computer,"2" indicates that I log on with the keyboard and mouse, while "3" means that someone has logged on to my computer remotely.-- That's right. I found the "Suspect" who had quietly logged on remotely from work hours. It's necessary .?

Is it awesome?

Learning to view Windows logs is a very practical technique. It is often used in Forensics. We used Windows logs to find evidence of employee theft in internal enterprise surveys.

Windows logs contain a lot of information. Today, only the tip of the iceberg is shared, but its practicality is self-evident. Please practice it now!





Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.