How can I know if someone has logged into my account in Windows 7?
Recommended Method EDITED (Please Upvote Susan Cannon down below):
Press Windows button + R and type
eventvwr.msc
.In event viewer, Expand Windows Logs, and select System.
In the middle you’ll see a list with Date and Time, Source, Event ID and Task Category. The Task Category pretty much explains the event, Logon, Special Logon, Logoff and other details.
The events will be called Winlogon, with Event ID 7001.
The event Details will contain the UserSid of Account logging on, which you can match with a list obtained from Command Prompt using:
wmic useraccount
Hope this helps!
To see a list, run "PowerShell", and paste the following script into its window:
Get-EventLog system -Source Microsoft-Windows-Winlogon `
| ? { $_.InstanceId -eq 7001 } `
| ? {
$sid = $_.ReplacementStrings[1]
$objSID = New-Object System.Security.Principal.SecurityIdentifier ($sid)
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$_ | Add-Member -Force -type NoteProperty -name User -value $objUser.Value
return $true
} `
| ft -Property TimeGenerated,User
You'll have a bunch of system logins; they are normal.
What you will be looking for: Event ID 7001 - Winlogon.
Under the Details Tab, Look for UserSid
An indication of a login will look like this: (win 8.1) This will probably be different in win 7
+ System
- EventData
TSId 1
User Sid A-2-8-46-234435-6527-754372-3445
Then open up command prompt by right clicking start button and selecting it.
Type in "wmic useraccount" and match the SID with the preceding username in the long list that comes up.
C:\Users\Superuser>wmic useraccount
AccountType Caption Description Disabled Domain FullName InstallDate
LocalAccount Lockout Name PasswordChangeable PasswordExpires
PasswordRequired SID SIDType Status
512 ComputerName\Administrator Built-in account for administering the
computer/domain TRUE ComputerName TRUE FALSE Administrator TRUE
FALSE TRUE A-2-8-46-234435-6527-754372-3447 1 Degraded
512 ComputerName\Superuser TRUE ComputerName TRUE FALSE Superuser TRUE
FALSE TRUE **A-2-8-46-234435-6527-754372-3445** 1 Degraded
We see from the list that Superuser is the account matching the SID.
Pathfinder's answer of checking the event log will let you know if someone logged into your computer. However, that will not tell you if they logged into another computer with your account. You would have to check that machine, or a Domain Controller to see logins from other machines.
As for emails, that's another story. As an Exchange admin, I can read the emails of anyone in our organization. Honestly, I don't know if that access is logged anywhere. I'm sure it would be, but that would be only available to Exchange administrators.
If you are on a corporate network, this won't work. Corporations have all sorts of automatic logins. I looked at either event 4648 or 4624, and logons are successfully logged even when people are not in the office (and no, no one is sneaking in to log in to PCs). There are thousands of them. I just logged in to the PC one time, and there are 10 activity sources under 4624. I did not log in 10 times. There were 12 logins yesterday under 4648, but no one touched the PC at all that day. So that's not an accurate list of real person logins.
If you want the REAL login info, go to System under Windows Logs, and filter on event 7001. This is successful WINLOGONS. This corresponds to user logins, and excludes system logins behind the scenes. Using this, I found the proper list of real live people user logins to the PC.
But unfortunately it still doesn't tell me WHO logged in. Our company doesn't keep those records as it would be a mile long every day. I look at UserID in the details, and the UserID for me logging in just now matches every other UserID under every login shown. And this is not my PC, so some of the logins are definitely not mine. So I don't know about that part.