Check User Account Login History

TL;DR

Yes, you can check if a colleague logged into your account on a shared computer using Windows Event Viewer. Look for specific event IDs related to user logins and logoffs.

How to Check Account Login History in Windows

1. Open Event Viewer: Press the Windows key, type “Event Viewer”, and select it from the results.
2. Navigate to Security Logs: In the left pane, expand Windows Logs then click on Security.
3. Filter for Login Events (Event ID 4624): This event records successful logins.
   • Right-click on Security in the left pane and select “Filter Current Log…”.
   • In the “Event IDs” field, enter 4624. This will show only login events.
   • Click OK.
4. Filter for Logout Events (Event ID 4634): This event records successful logoffs.
   • Repeat step 3, but enter 4634 in the “Event IDs” field.
5. Examine Login and Logout Records:
   • Sort by Date and Time to easily find recent events.
   • Double-click an event to view its details.
   • Look for the following information:
     • Account Name: This will show your username.
     • Security ID: This is a unique identifier for the user account.
     • Logon Type: Important values include:
       • 2: Interactive: A login at the computer’s console (physical keyboard/mouse). This is what you’d expect from someone using the shared machine directly.
       • 3: Network: Login over a network connection (e.g., accessing fileshares).
       • 10: RemoteInteractive: Login via Remote Desktop Protocol (RDP).
     • Source Network Address: If the login was from a network, this shows the IP address of the computer used to connect.
6. Identify Potential Unauthorized Logins:
   • If you see Event ID 4624 with your username and a Logon Type other than what you expect (e.g., Interactive when you weren’t using the machine), investigate further.
   • Check the Source Network Address to identify which computer was used for the login.
   • Look for corresponding Event ID 4634 events to see if there was a matching logout. A missing or unusual logout event could indicate an issue.
7. Using PowerShell (Advanced): You can also use PowerShell to filter the logs.

   Get-WinEvent -LogName Security | Where-Object {$_.ID -eq 4624 -and $_.Properties[5].Value -eq "YourUsername"}

   Replace “YourUsername” with your actual username.

Important Considerations

• Audit Policy: Ensure that login auditing is enabled on the computer. If it isn’t, you won’t have records to review. A system administrator will need to configure this.
• Log Size: Security logs can grow large quickly. Regular archiving or configuration of maximum log size may be necessary.
• Time Synchronization: Accurate time synchronization is crucial for correlating login and logout events correctly.