Have you ever needed to keep tight reigns on your computer due to sensitive information saved on it? Do you work in a business environment that requires that you periodically log onto your machines to see who has had access to private files or network folders? Perhaps you lost your laptop or left your computer unlocked for a long period when there were unknown guests hanging around your office. Here are some instructions on how to log in to view security audit information on your Windows computer such as who logged in to your computer, what time they logged in, and even what they accessed or what actions they performed.
If you are using a Professional edition of Windows, your first step is to enable the Audit option for log on events. By enabling this feature, you will be able to monitor both logins and logoffs by local computer users and users who attempt to access your computer over the network.
The first step to enabling the Audit of logon events is to go to your group policy editor. This can be done by going to run in your Windows Start bar and typing gpedit.msc. Find the option for Audit logon events under the following folder: Local Computer Policy >>Computer Configuration >>Windows Settings >> Security Settings >>Local Policies >> Audit Policy.
Double click the configuration settings for Audit Logon Events and place a check in the box for both Success and Failure.
While at first it may not seem logically necessary to track logon failures as well as successes since you are not able to actually do anything prohibited on the computer if you fail to logon, but enabling logon failures could be one of your best ways to see if unauthorized access is happening on your computer. If someone is trying to gain unauthorized access to your machine, there is a good chance that there could be a number of logon failures preceding a successful and potentially malicious attempt. By tracking logoff events as well you are able to see how long the user has had a session open, how many times during the day they were logged on the system, and track a historical record. This will allow you to see if there are any instances of erratic behavior such as logging in and out several times in sequence in short bursts, or perhaps a user who usually accesses the computer exclusively during business hours who suddenly has a number of logons in the middle of the night through the week.
You can view logon events in the system security log though the Windows Event Viewer. You can access this by going to your start bar’s Run field and typing in Event Viewer. Once the Event Viewer is opened, go to the Windows Logs folder on the left hand side and then within their click on the Security option. Once you have the security log opened you will see a number of events that have taken place over the past historical period. You can scroll through this historical event list and when you find the event you want to look at you can double click it. This will open up a dialog box that will give you more detailed information such as which computer they logged into in a network environment. If you wish to filter your results by logon events only, you can filter by Event ID 4624, which indicates the Logon Event. You can use the Event Viewer to research what happened while the user was logged in by going to each of the different event categories and scrolling through the historical audit files.