Has Someone Used Your PC? 3 Ways to Check

Ads by Google

The keyboard is misplaced. Someone left some food crumbs on your desk. Your monitor is tilted at an odd angle. You know someone has been using your computer, but you don’t have any evidence to nail down the culprit. Or do you?

The truth is that the person who used your computer not only left behind crumbs of evidence on your desk, but they’ve also likely left crumbs of evidence on the computer itself, without even realizing it. No matter what someone might have done on your PC, the fact is that nearly everything you do leaves some kind of trace on a computer. You just need to know where to go in order to find that evidence.

Some of the things that can leave tracks include restarting a computer, attempting and failing to log into your Windows account, launching applications, browsing the Internet, opening files and more. In this article, I’m going to show you all of the first places you should immediately check if you suspect someone has been using your computer behind your back, without your permission.

Uncovering the Bread Crumbs

If you want to become a computer sleuth to ferret out who has been using your PC, you’ll need to use some general logic when considering where you want to check first. There are a lot of places in your computer system that you could search through, so you want to start at the more logical and likely locations first.

Ads by Google

For example, if you have a roommate that’s an avid gamer, and you suspect that they’re using your PC for gaming, then you’ll probably want to take a look at the Windows application log files (which I’ll show you below). Or, if you were using your laptop in a public place and you suspect one of your friends used your computer to briefly go on the Internet, then you’ll want to go after the Internet logs to confirm that. Knowing – or suspecting – where to start can dramatically reduce the amount of time it’ll take for you to confirm your suspicions.

Check Windows Logs

One tool that’s in every IT analyst’s toolbelt is checking Windows Logs to see what went wrong on a server, or why a PC continues to crash at a specific point during bootup. Windows logs can tell you a lot of information about what the computer is trying to do, and why it’s failing. The cool thing is that it also holds a lot of informational data even when things don’t go wrong. You can get there by going to the Control Panel, going to Administrative Tools, and selecting Computer Management.

computer use1   Has Someone Used Your PC? 3 Ways to Check

Once you’re in there, just click on the Event Viewer in the left navigation bar, and you’ll see a folder for Windows Logs. Expand that folder, and you’ll see the different categories for Windows logs that you have to work with.

computer use21   Has Someone Used Your PC? 3 Ways to Check

One of the more useful choices here is the Security log. This will show you any time someone tried to log out of or into your Windows account, or if they simply rebooted your computer during a time period when you are 100% certain you were not using your computer.

computer use3   Has Someone Used Your PC? 3 Ways to Check

Sifting through the Application log, you’ll find that there’s a lot of useless information in there that really doesn’t mean a whole lot to the average user. However, if you carefully scrutinize the time period when you know you had left your computer unattended, you might stumble across a clue, letting you know what application the person was running on your computer, such as the example below where the user launched Windows search tool.

computer use4   Has Someone Used Your PC? 3 Ways to Check

Windows logs can be very hit-and-miss. If you’re lucky, you’ll stumble across something that clearly proves someone was messing around with your PC while you were out. It’s difficult for anyone to argue with the date and time stamp on the activity log.

Recent Files

In an article a while back, Tim described a few ways to catch whether someone has been using your computer, and one method he mentioned is well-worth repeating here. Checking for recently modified files is one of the easiest ways to catch someone using your computer without permission. Of course, one of the quickest ways to see what files someone opened on your computer is to check the “Recent Items” selection in the Windows Start menu.

computer use5   Has Someone Used Your PC? 3 Ways to Check

This might work if you’re lucky, but if the person is at all computer savvy, then they’ve probably thought to right click on “Recent Items” and select “Clear Recent Items List”, and you’re out of luck.

Well, not entirely out of luck. You can still search for recently modified files, which may not show you what files they’ve opened, but if the application they used wrote any log or error files, or otherwise changed any file at all on your computer, you’ll be able to spot those by opening Windows Explorer, clicking on the C: drive (Local Disk), and clicking in the search field and selecting “Date modified”.

computer use6   Has Someone Used Your PC? 3 Ways to Check

Once you choose a date, you’ll get a full listing of all files that were modified on that date.

computer use7   Has Someone Used Your PC? 3 Ways to Check

As you can see, folders like Temp and Downloads had modified files, so those could prove to be a treasure-trove of information about what the person was up to on your computer while you were away. Just sift through those files and identify applications used to modify them from the file type column. If you’re lucky, you’ll stumble across a document, log file or some other bit of information that’s dated exactly when you were away from your computer.

Of course, it should go without saying that you’ll always want to take a quick glance at the history logs for any Internet browsers that you have installed on your PC.

computer use82   Has Someone Used Your PC? 3 Ways to Check

Having any success with this would require that the sneak who used your computer completely forgot to delete the browser’s history. Not very likely, but you never know. You could luck out!

The Last Resort: Create a Scheduled Task

A last option, if you can’t find a single trace of any activity on your PC while you’re gone, but you just know someone is messing with it, is to set up a scheduled task that sends you an email whenever your computer comes out of sleep mode, or when it first boots.

To do this, just go into scheduled tasks and create a new task. Under the General tab, make sure to set the task to run whether or not a user has logged in.

computer use9   Has Someone Used Your PC? 3 Ways to Check

Under the trigger tag is where you’ll tell the Task Schedule when to run this particular task. In the “Begin the task” field, you’ll want to change it from “On a schedule” to something like “At startup” or “On workstation unlock”.

computer use10   Has Someone Used Your PC? 3 Ways to Check

If none of those options are good enough for you, you can be more specific with when you want to trigger your email by selecting “On a event” from the list, and then selecting which application or system event you want to use to trigger your notification that someone is using your computer.

computer use11   Has Someone Used Your PC? 3 Ways to Check

To find specific applications rather than just system events, you’ll need to select “Application” from this longer list, and then choose the application from the “Source” list.

computer use12   Has Someone Used Your PC? 3 Ways to Check

For the Event ID to monitor for, you’ll either need to find the Event ID listed in the application log (as I showed you earlier in this article), or you can search for Windows Event IDs on different sites around the net.

For the Action tab, you can send a Blat command, which will issue an email. Something like:

"c:\temp\blat\blat.exe"

With the following parameters:

 "-body Someone is using your computer! -to rdxxxxx@gmail.com -subject Computer Access Alert!"

If you don’t have Blat set up on your computer and can’t issue these commands yet, make sure to check out our Blat installation article and get it set up on your PC so you can send these emails via the command line.

Another thing you can do if you don’t have the time or patience to set something up yourself, is to install software like iSpy, a tool that can monitor computer use and take screenshots automatically.

Do you have any other tips and tricks that you use to monitor when someone is messing around on your computer? What have you done to catch the culprit? Share your thoughts and experiences in the comments section below!

Photo credit: Thru Mikes Viewfinder via photopin cc

Ads by Google

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

19 Comments -

Tony Bze

Can you have this document in PDF available, plz. Thanks.

Akshay G

Or,one can use a key-logger/screenshot service. Although they are extreme measures,they are extremely effective tools to nab people who go thru personal data/do illegal activities in your laptop.

Wilfredo Jr. D

Very useful info sir!

daf

in your photo for this article you have a mac but the article is only about windows. do you have the same info for mac too?

Ryan Dube

No – but thanks to your comment we may have just such an article in the works. :-)

BLord

Great post, RD. Keep it thorough.

dragonmouth

A naive question perhaps, but wouldn’t the login stop unauthorized use?

If you freely share your userid/password then you deserve all that happens. OTOH, if my room mate is a hacker then I do what Minnesota Fats had his boys do to Fast Eddie Felsen, I break his fingers.

Ryan Dube

A login can – but in situations like a household, some people don’t actually enable password login (I know, crazy right?)

There’s also the situation where you’ve walked away from your computer and someone has jumped on it before the screensaver lock kicks in – things like that.

shaun wray

very interesting,very useful

Joe F

Nice overview of basic security checks!

Nairuz

I have followed all the steps to receive notifications to my email but did not work for me . I used this argument” -f from@gmail.com -t to@gmail.com -u Someone Logged Into Your Computer -m Someone just logged into your computer! -s smtp.gmail.com:587 -xu from@gmail.com -xp password -o tls=yes”

why cannot get the notification to me email and is there another way to receive notifications to my email aside from ispy

Danny

Ryan,

I stumbled across your page by accident and I am no tekkie. But I think a very quick and simple check for computer activity is to open Explorer and do a file search on C drive(or all drives individually) using the wildcard only for the file name and the day you want to search on to see if any files were changed.

Also you can go to:

C:Documents and SettingsuserLocal SettingsHistory

and click on “Today”, then click on my “My Computer” and you will see all the files that were accessed, and they too will be time stamped.

Could you not also install a key logger as a preemptive strike?

fosscoder

Nice Article, Ryan Dube. If you don’t mind I more like to tell you a most common place to look just in case if the user is suspicious that his/her PC has accessed by someone. Here is the step to check. Go to RUN -> Type “Recent” and the user can see all the files that have been opened.
Thanks.
fosscoder.com

samrocky

its difficult to understand but its cool brother.thanks………

dxraygirl

all good unless they ran “restore” to before they logged into the system. Then what?

srqhelpdesk.com

You could use a Linux live cd or usb drive if you need to use the computer but don’t want to leave traces of your activity.

Obama

Hello dixygirl… restore event will be captured by windows… I don’t think the log files get overwritten because of system restore :p

jeber

use keylogger,
then make it superstealth, haha
CMIIW