Have you ever wanted to monitor who’s logging into your computer and when? On Professional editions of Windows, you can enable logon auditing to have Windows track which user accounts log in and when.
The Audit logon events setting tracks both local logins and network logins. Each logon event specifies the user account that logged on and the time the login took place. You can also see when users logged off.
Enable Logon Auditing
First, open the local group policy editor – press the Windows key, type gpedit.msc in the Start menu, and press Enter. (You can also enable logon event auditing on a domain controller if you administer a network with centralized logins.)
Navigate to the following folder: Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> Audit Policy.
Double-click the Audit logon events policy setting in the right pane to adjust its options. In the properties window, enable the Success checkbox to log successful logons. You can also enable the Failure checkbox to log failed logins.
Viewing Logon Events
After enabling this setting, Windows will log logon events – including a username and time – to the system security log.
To view these events, open the Event Viewer – press the Windows key, type Event Viewer, and press Enter to open it.
Navigate to the Windows Logs –> Security category in the event viewer.
Look for events with event ID 4624 – these represent successful login events.
To see more information – such as the user account that logged into the computer – you can double-click the event and scroll down in the text box. (You can also scroll down in the text box underneath the list of events.)
If your security log is cluttered, you can click the Filter Current Log option in the sidebar and filter by event ID 4624. The Event Viewer will display only logon events.
Because this is just another event in the Windows event log with a specific event ID, you can also use the Task Scheduler to take action when a logon occurs. You can even have Windows email you when someone logs on.
Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.
- Published 09/13/12