Do you think someone has been logging in to your Windows PC while you have been away? If your bloodhound failed to track down the culprit, then we have some handy ways for you to find out whether your PC was accessed. They may not have left a physical clue, but there is a good chance they left evidence in Windows somewhere. Uncover whether someone else is logging in to your Windows PC using any combination of the following methods.
Recent Activity in Jump Lists
Current versions of Windows 10 no longer show recent activity, outside of recently added apps, in the Start menu. Skip to the next section if you’re using an an earlier version of Windows 10 or earlier versions of Windows.
However, Windows 11 does show recommendations in the Start menu. (The feature is turned on by default, but sneaky users might have turned it off.) These are based off of recent usage, which can indicate if someone else was using your PC.
However, you can view recently accessed files by right-clicking apps in your Start menu and taskbar. Want to see if someone opened a Word doc? Open any Word doc, right-click its icon on the taskbar (this also works if you have a pinned shortcut on the taskbar), and look for Recent.
You can do the same thing in your Start menu. Right-click any app you think someone might have accessed to look for any recent items, including browser items. If your browser auto-deletes history on close, nothing may show.
Alternately, open File Explorer and look under “Quick Access.”
You may need to turn this setting on if it’s not on by default. Go to “Start -> Settings -> Personalization -> Start.”
Ensure “Show recently opened items in Start, Jump Lists, and File Explorer” is turned on.
Recent Activity (Older Versions of Windows and Windows 10)
Let’s start with the basics. If someone has accessed your account, then they must have used it for something. You need to look for changes to your PC that weren’t done by you.
The starting point will be the recent programs that appear in the Start menu. Click on the Start menu to see the most recent programs that were open. You will only see a change if the intruder has accessed a program that you didn’t use recently.
One of the drawbacks is that they could always delete the item from here if they are smart enough. Furthermore, if the recent item view was enabled on your PC, hover your mouse cursor over the “Recent Items” button on the right side of the Start Menu to see all the files that were opened recently. The file entry will stay there even if the actual files are deleted.
Other common places to look for changes include your browser history, recent documents and the “Programs” option in the control panel for recently added programs.
This isn’t available in Windows 11. Recent items are only listed by right-clicking an app icon and in Quick Access. However, if the recent items feature is turned off in your PC settings, they won’t appear here either.
Check Windows Event Viewer
The above step was just to alert you that something is wrong. Let’s get serious and dig up some solid proof if you suspect someone else is logging in to your Windows PC. Windows keeps a complete record of when an account is logged in successfully and failed attempts at logging in. You can view this from the Windows Event Viewer.
To access the Windows Event Viewer, press Win + R and type eventvwr.msc
in the “Run” dialog box. When you press Enter, the Event Viewer will open.
In the left pane, expand “Windows Logs” and select “Security.”
In the middle panel, you’ll see multiple logon entries with date and time stamps. Every time you log in, Windows records multiple logon entries within a total time period of two to four minutes. Focus on the time these entries were made, and look for any times that you weren’t actively logged in.
If there is an entry, it means someone did access your PC. Windows won’t make fake entries, so you can trust this data. Additionally, you can also check which particular account was accessed during that period (if you have multiple accounts). To check, double-click on a “Special Logon” entry during that period, and “Event properties” will open. Here you will see the name of the account next to “Account Name.”
Event viewer is also a great way to check out PC startup and shutdown history. This can also serve as a clue that someone might have turned on and used your PC while you were away.
Show Last Login Details at Startup
The above method is quite solid for catching the intruder, but if they were smart enough, they could have cleared all the event logs. In that case, you can set up last login details to show up as soon as the PC starts. This will show you when the account was last logged in and any failed attempts. This information cannot be deleted and can only help you for future unauthorized access as you will be setting it up next.
You will be editing the Windows Registry, so make sure you create a backup of it. Press Win + R and enter regedit
in the Run dialog box to open the Windows Registry. In the Registry, click on “File -> Export,” pick a location for the backup file in the file chooser, then click the “Save” button.
To check previous login information In the Registry:
- Move to the below-mentioned location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Right-click on the “System” folder and select “DWORD value” from the “New” option.
- An entry will be created ready to be renamed; you need to name it “DisplayLastLogonInfo.”
- Double-click on this entry and set its value to “1.”
Now whenever you (or someone else) logs in to your PC, you will first see when you last logged in and any failed attempts.
Check Browser History
If your browser automatically deletes history when you close it, this won’t help. But even if it doesn’t, many people forget to delete their history when they’re using someone’s PC without permission. Simply open your browser(s) and access the history using the Settings menu for your specific browser.
Catch Remote Users
It’s unnerving to have someone logging in to your PC in person, but what about remotely? The methods above still work well to let you know whether a remote user has been on your PC. Typically, your Windows login history in Event Viewer will show even remote login events. A few other things to check for remote Windows logins include:
- Check your PC for any new apps. If you see something you didn’t install or that was installed recently without your permission, research it to see what it does. It’s possible it’s a result of malware and that the new app is allowing remote users to log in.
- Check your firewall. If you have a firewall installed, remote connections may show up. You may even notice a current active connection. Use your firewall to block remote users. The steps and settings vary greatly based on the type of firewall, and Windows has a built-in firewall. Go to “Settings -> Privacy & security -> Windows Security,” then go to “Open Security” and select “Firewall & network protection.” Select “Advanced Settings” to view events associated with the firewall.
- Scan for viruses. If someone’s logging in to Windows remotely without your permission, it may be due to malware. Run a virus scan regularly to check for malicious apps. If you don’t have anything installed, consider using Windows Defender.
- Check that your antivirus and firewall haven’t been disabled. If these have been disabled, it’s a sign of malware and possible remote access.
The above methods should be able to alert you about unauthorized access. However, they will not tell you “who” actually accessed your account. So yes, you’ll need to do a little more investigative work outside of your PC.
Remember, if someone uses your account and is smart enough to clear their traces, it’s tricky to catch them. Always log out of your account if you leave your PC to prevent someone from using it.
Frequently Asked Questions
1. How can I find out who is using my PC?
While your Windows login history lets you know something’s amiss, it doesn’t tell you who is responsible. If there are multiple potential culprits, consider hiding a camera or even having your webcam turn on and record upon logon. This won’t work for remote logons, but it helps catch people in your home or office. You may need permission to do this at your workplace.
So far, we’ve only talked about technical ways to check for unauthorized access. You can also use physical methods to check for access. For example, you might place a hair or thin string on your keyboard or mouse to see if they’ve been used. You could use a light powder on your mouse. If it’s gone or faded, you know someone’s been using it. Get creative with your traps.
2. How can I prevent unauthorized access to my PC?
If you’ve discovered unauthorized Windows logins, there are several ways to prevent access in the future, such as:
- Set up a login for your PC. You might have Windows set to log in automatically without a password. If someone’s using your PC without your permission, switch back to using a password, PIN, or even biometric login (if available on your device).
- Always log out of your PC when you’re not using it. If someone logs on, change your password immediately.
- Add separate accounts for each user, including kids. If you have a shared PC, ensure every user has their own account. This helps protect your files and settings. However, be aware that kids may still get around parental controls to access things they’re not supposed to.
- Never allow remote access unless it’s a reputable app or user you fully trust.
- Use a VPN any time you use public Wi-Fi. If hackers gain access to your PC while you’re in public, they can install apps that allow them to remotely log back in later.
Image credit: Unsplash
Our latest tutorials delivered straight to your inbox