Helping people with computers... one answer at a time.
It may be possible to determine when someone has logged into your machine, but knowing exactly what they did while there is more difficult.
I suspect that somebody has attempted to access my computer when I was thoughtless enough to leave it physically unsecured for some time. (I've now read your article on securing and will comply in the future.) Is there any way of checking to see times and dates of when the computer was booted and if files have been copied off your computer? Date and time of when the file in question was copied last, if at all? I know when the laptop (Dell Inspiron 9100) was unsecured so if this type of information is logged somewhere on the (C:) or elsewhere I'd be able to know if someone other than myself used my computer.
Yes, we can probably tell when your computer was booted, and even when it was logged into.
But no, we can't tell what that person did once they were logged in; at least not to the granularity that you're looking for.
I'm going to use Windows Vista examples to describe what we can look at, but Windows XP is very similar - perhaps even simpler.
First, click on Start and then Run (or type Windows Key + R), and enter "eventvwr":
Press OK to start the Windows Event Viewer.
Now, the event viewer is an fairly complex and even intimidating beast. It doesn't help that most applications that log events don't do so in a very friendly, or even useful way. However, we can focus on a couple of things to get the information we're looking for.
Start by expanding the "Windows Logs" items on the far left, so that the specific logs are visible:
Now click on Security. It revealed a list of logs, and you'll see a list of security related events that have occurred on your machine:
In the example above, you can see that I've highlighted an event logged when I logged into my own machine. In fact, if you look closely you can see that I logged off at 4:02 AM (when this machine automatically reboots each night), and logged on at 8:47 AM, shortly after getting up.
Warning: there's a ton of noise in the event log. In particular you'll see lots of logins by "Anonymous" as well as other activity. This is expected, and does not imply that anything malicious is happening. This is one of the huge problems with the event log that I alluded to earlier - there's often a lot of information in it that is confusing and misleading - even to the people that are supposed to understand it. Don't panic if you see something you don't understand, it's likely to be totally benign.
But now you can at least see when your machine is being logged into. If you weren't around at the time ... well, that may tell you something.
Unfortunately, without additional logging software or settings, that's about all you can tell after the fact. There's no way to know if files were copied, opened or altered, for example. You might get lucky and notice it on a recently opened documents list, but that's only if the document were opened in a way that would add it to that list - copying doesn't count. The file system might keep a "last accessed" date and time, but any access - read, copy, open, whatever - will reset that information (and keeping this information is also occasionally disabled for performance reasons).
The only sure way to track things to this level of detail is actually to install spyware on your own machine. Parental tracking and control software is a common approach.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.