Do you ever wish to know if someone used your Windows computer without your permission? Few people know that an inbuilt utility named Event Viewer can help them out and tell lots of information like the start-up and shutdown time of their computers. To do this, one simply needs to open Event Viewer and filter the logs to see the required details.
Step 1: Open the Event Logger
Way 1: Open it by search. Type event in the search box on taskbar and choose View event logs in the result.
Way 2: Turn on Event Viewer via Run. Press Windows+R to open the Run dialog, enter eventvwr (or eventvwr.msc) and hit OK.
Way 3: Open Event Viewer via Command Prompt. Open Command Prompt, type eventvwr and press Enter.
Way 4: Turn Event Viewer on via Windows PowerShell. Open Windows PowerShell through searching, type eventvwr.msc and tap Enter.
Way 5: Open Event Viewer in Control Panel. Access Control Panel, enter event in the top- right search box and click View event logs in the result.
Way 6: Open it in This PC. Open This PC, type event viewer in the search box on the top- right corner, and then double-click Event Viewer in the list.
Step 2:Understanding the Interface
When you first open Event Viewer, you’ll notice it uses the three-pane configuration like many of the other administrative tools in Windows, although in this case, there are actually quite a few useful tools on the right-hand side.
The left-hand pane displays a folder view, where you can find all of the different event logs, as well as the views that can be customized with events from many logs at once. For instance, the Administrative Events view in recent versions of Windows displays all of the Error, Warning, and Critical events whether they originated from the Application log or the System log.
The middle pane displays a list of events, and clicking on them will display the details in the preview pane – or you can double-click on any of them to pull it up in a separate window, which can be handy when you are looking through a big set of events and want to find all the important things before beginning an internet search.
The right-hand pane gives you quick access to actions like creating custom views, filtering, or even creating a scheduled task based on a particular event. clip_image002 The events themselves are what we’re trying to see, of course, and their usefulness can range from really specific and obvious things that you can fix easily to the very vague messages that don’t make any sense and you can’t find any information on Google. The regular fields on the display contain:
- Log Name – while in older versions of Windows everything got dumped into the Application or System log, in the more modern editions there are dozens or hundreds of different logs to choose from. Each Windows component will most likely have its own log. Source – this is the name of the software that generates the log event. The name usually doesn’t directly match with a filename, of course, but it is a representation of which component did it.
- Event ID – the all-important Event ID can actually be a little confusing. If you were to Google for “event ID 122” that you see in the next screenshot, you wouldn’t end up with very useful information unless you also include the Source, or application name. This is because every application can define their own unique Event IDs.
- Level – This tells you how severe the event is – Information just tells you that something has changed or a component has started, or something has completed. Warning tells you that something might be going wrong, but it isn’t all that important yet. Error tells you that something happened that shouldn’t have happened, but isn’t always the end of the world. Critical, on the other hand, means something is broken somewhere, and the component that triggered this event has probably crashed.
- User – this field tells you whether it was a system component or your user account that was running the process that caused the error. This can be helpful when looking through things.
- OpCode – this field theoretically tells you what activity the application or component was doing when the event was triggered. In practice, however, it will almost always say “Info” and is pretty useless. Computer – on your home desktop, this will usually just be your PC’s name, but in the IT world, you can actually forward events from one computer or server to another computer. You can also connect Event Viewer to another PC or server.
- Task Category – this field is not always used, but it ends up basically being an informational field that tells you a bit more information about the event.
- Keywords – this field is not usually used, and generally contains useless information. As a rule of thumb, you should try searching by the general description, or the Event ID and the Source, or a combination of those values. Just remember that the Event ID is unique… for each application. So there is a lot of overlap and you can’t just search for “Event ID 122” because you’ll get a lot of nonsense.
Note: There are always going to be errors and warnings in the event log, and you can’t solve all of them. The most important thing is to use Event Viewer to troubleshoot problems you are already having, rather than trying to find problems that you don’t know about yet. And yes, you are going to need to use your Google skills to research the events that you don’t know about. There’s no easy magic solution.
Step 3: Find if someone logged into your computer without permission?
Now, after opening Event Viewer in your Windows PC, you need to locate Windows Logs > System. In the middle pane, this will open a list of the events that took place when Windows system was running. The events might take a couple of moments to populate.
To do this, click on the Filter Current Log button in the right pane. Firstly, make sure that Event logs field shows System. Secondly, make sure that User field shows <All Users>.As shown in the screenshot, enter event IDs 6005 and 6006 in the empty field. This will filter the System events.
You can see the start-up and shut down time in the Date and Time column. Here, Event ID 6005 means “The event log service was started” (i.e. start-up time) and 6006 means “The event log service was stopped” (i.e. shut down time).
You can also use the Custom view option if you wish to check this data regularly.