There may be times when you wonder if something is being done with, or to your computer without your knowledge, but is there an easy way to find out what is happening while you are gone? With that in mind, today’s SuperUser Q&A post shows a reader how to monitor his computer’s activity.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

SuperUser reader ePezhman wants to know how you find out what Windows was doing at a particular time:

With Windows 7/8/10, is there a way to find out if the computer was running at a particular or given time? For example, was the computer running or turned off last night around 10:00 p.m.?

How do you find out what Windows was doing at a given time?

The Answer

SuperUser contributor Monomeeth has the answer for us:

You can use the Windows Event Viewer to do this. To start the Event Viewer in Windows 7:

  • Click the Start Button
  • Click on Control Panel
  • Click on System and Security (or Maintenance)
  • Click on Administrative Tools
  • Double-click the Event Viewer

In Windows 8 and 10, you can open the Event Viewer with the Windows Key+X+V keyboard shortcut. You can also open it via the Run dialog using the Windows Key+R keyboard shortcut, typing eventvwr, then clicking OK.

Once you have the Event Viewer open, follow these steps:

1. In the left pane go to Windows Logs > System

2. In the right pane you will see a list of events that occurred while Windows was running

3. Click on the Event ID label to sort data by the Event ID column

4. It is possible that your event log will be extremely long, so you will need to create a filter

5. From the Actions pane on the right-hand side, click on “Filter current log”

6. Type 6005, 6006 in the unlabelled field (see the screenshot below):

7. Click OK

Please note that it may take a few moments for the Event Viewer to show the filtered logs.

In Summary

  • Event ID 6005 means “The event log service was started” (i.e. start up time).
  • Event ID 6006 means “The event log service was stopped” (i.e. shut down time).
  • If you want, you could also add Event ID 6013 to your filter. This displays the system’s uptime after booting.

Finally, if this is something you want to check regularly, you can create a custom view to show this filtered log. Custom views are located at the top left of the left pane of the Windows Event Viewer. By adding it there, you can choose to select it whenever you want to view the log.

Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

Akemi Iwaya
Akemi Iwaya has been part of the How-To Geek/LifeSavvy Media team since 2009. She has previously written under the pen name "Asian Angel" and was a Lifehacker intern before joining How-To Geek/LifeSavvy Media. She has been quoted as an authoritative source by ZDNet Worldwide.
Read Full Bio »