Windows – How to know if someone has logged into the account in Windows 7

Securitywindows 7

In Windows 7, is there a way to know if somebody has logged into my account when I was absent?

Specifically, is it possible to know if a person with administrator privileges somehow entered my account (i.e. in order to get into my email etc.)?

Best Answer

Recommended Method EDITED (Please Upvote Susan Cannon down below):

Press Windows button + R and type eventvwr.msc.
In event viewer, Expand Windows Logs, and select System.
In the middle you’ll see a list with Date and Time, Source, Event ID and Task Category. The Task Category pretty much explains the event, Logon, Special Logon, Logoff and other details.

The events will be called Winlogon, with Event ID 7001.

The event Details will contain the UserSid of Account logging on, which you can match with a list obtained from Command Prompt using:

wmic useraccount

Hope this helps!

To see a list, run "PowerShell", and paste the following script into its window:

Get-EventLog system -Source Microsoft-Windows-Winlogon `
    | ? { $_.InstanceId -eq 7001 } `
    | ? {
            $sid = $_.ReplacementStrings[1]
            $objSID = New-Object System.Security.Principal.SecurityIdentifier ($sid)
            $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
            $_ | Add-Member -Force -type NoteProperty -name User -value $objUser.Value
            return $true
        } `
    | ft -Property TimeGenerated,User

You'll have a bunch of system logins; they are normal.

What you will be looking for: Event ID 7001 - Winlogon.

Under the Details Tab, Look for UserSid

An indication of a login will look like this: (win 8.1) This will probably be different in win 7

+ System
- EventData
   TSId        1
   User Sid    A-2-8-46-234435-6527-754372-3445

Then open up command prompt by right clicking start button and selecting it.

Type in "wmic useraccount" and match the SID with the preceding username in the long list that comes up.

C:\Users\Superuser>wmic useraccount
AccountType  Caption  Description Disabled  Domain  FullName InstallDate
LocalAccount  Lockout  Name PasswordChangeable  PasswordExpires 
PasswordRequired  SID   SIDType  Status
512  ComputerName\Administrator   Built-in account for administering the
computer/domain  TRUE  ComputerName TRUE   FALSE  Administrator   TRUE
FALSE  TRUE A-2-8-46-234435-6527-754372-3447   1  Degraded

512  ComputerName\Superuser TRUE  ComputerName TRUE   FALSE  Superuser   TRUE
FALSE  TRUE **A-2-8-46-234435-6527-754372-3445**   1  Degraded

We see from the list that Superuser is the account matching the SID.

Best Answer

Related Solutions

Windows – the difference between the Administrator account and a User account that has administrator privilage

Windows – Are standard users still useful when Windows 8 has UAC

Related Question