Do you want to know when a user logs in or logs out? This tutorial will show you how to use Event Viewer to track all login and shutdown events in Windows.
It is not for everyone, but there may be instances when you need to keep track of all sign-in and out activities. There could be various reasons for this, such as keeping a record of all login and log-out events in an organization. The good news is that you can use the Event Viewer in Windows to track log-on and shut-down events.
For example, the Event Viewer will immediately create a new event entry with the exact time stamp as soon as a user signs into their account. Viewing this timestamp in the Event Viewer will show when the person signed in or out.
Table of contents:
The steps below work the same in Windows 10 and 11.
What is an Event Viewer?
Windows has many fantastic tools that, when used correctly, give you a great deal of power and information. One such tool is Event Viewer.
In case you’re unaware, Windows logs practically every event on your machine. For example, if something goes wrong with a running process, Windows will immediately create an event log for that specific occurrence. All of the event logs are viewable via the Event Viewer. As you might expect, event logs are helpful for monitoring and debugging Windows and its activities.
Without further ado, let me show how to log login and log off events to event viewer.
Enable login and shutdown event tracker
You must enable the “Audit logon events” group policy to track sign-in and sign-out activities. The good thing about the policy is that it will log all successful and failed login or log-off activities. Here’s how to do it.
- Press the Start button on the keyboard.
- Search and open “Edit Group Policy.”
- Go to the “Computer Configuration -> Windows Settings” folder.
- Go to the “Security Settings -> Local Policies” folder.
- Open the “Audit Policy” folder.
- Double-click the “Audit logon events” policy.
- Select the “Success” and “Failure” checkboxes.
- Press “Ok.”
- Close the Group Policy Editor.
- Reboot the computer.
Steps with more details:
Launch the Group Policy Editor. You can use the Start menu to look for “Edit Group Policy” or “gpedit.msc.”
All policies are organized into folders. Those folders are visible in the left panel. On the left panel, navigate to the following folder.
Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy
In the main panel, locate and double-click the “Audit login events” policy.
In the policy configuration window, select both the “Success” and “Failure” checkboxes, then click the “Apply” and “Ok” buttons to save changes. You can log both successful and failed logon events by checking both boxes.
To make the group policy changes take effect, restart Windows.
After rebooting, Windows will log all login and shutdown activities of all users to the Event Viewer.
View Login and Shutdown Logs
Once you’ve enabled the logs, you can view the login and shutdown events in the Event Viewer. Since these events have a specific event ID, it is straightforward to filter out. Let me show you how.
- Open the Start menu.
- Search and open “Event Viewer.”
- Go to the “Event Viewer -> Windows Logs” folder.
- Go to the “Security” folder.
- Click the “Filter current log” option.
- Type the below event ID in the blank field.
- 4624 – Login events
- 4634 – Log out events
- Press “Ok.”
- You will see the filtered events for login or log-out activities.
- Open the event to see the timestamp.
- Once you have the information, you can close the Event Viewer.
Steps with more details:
Open Event Viewer by searching for it in the start menu to see the login and log-out events.
Navigate to the “Event Viewer -> Windows Logs -> Security” section on the left panel of the Event Viewer.
Look for the event IDs 4624 and 4634. These are the login and shutdown events, respectively. All IDs are listed in the middle panel’s “Event ID” column.
It can be difficult to locate the event you are looking for at times. This is especially true when there are several events. You can use the built-in Filter function in these cases. To filter events, go to the right panel and select “Filter Current Log.”
Select “Last Hour” from the “Logged” dropdown menu in the filter window, type the Event ID (4624 for login events, 4634 for log-off events) in the field above Task Category, and click the “Ok” button.
A quick tip: To display multiple events, separate event IDs with ‘,.’ For example, type “4624, 4634” in the Event ID column to see both login and logoff events.
The previous action will display the filtered results of the events you’ve selected. To view the timestamp for an event, select it. It will show you a user’s login or shutdown time.
That is it. It is that simple to log login and shutdown activities and know when someone logins into your computer.
I hope this simple and easy Windows how-to guide helped you.
If you are stuck or need some help, send an email, and I will try to help as much as possible.