The keyboard is misplaced. Someone left some food crumbs on your desk. Your monitor is tilted at an odd angle. You know someone has been using your computer, but you don’t have any evidence to nail down the culprit. Or do you?
The truth is that the person who used your computer not only left behind crumbs of evidence on your desk, but they’ve also likely left crumbs of evidence on the computer itself, without even realizing it. No matter what someone might have done on your PC, the fact is that nearly everything you do leaves some kind of trace on a computer. You just need to know where to go in order to find that evidence.
Some of the things that can leave tracks include restarting a computer, attempting and failing to log into your Windows account, launching applications, browsing the Internet, opening files and more. In this article, I’m going to show you all of the first places you should immediately check if you suspect someone has been using your computer behind your back, without your permission.
Uncovering the Bread Crumbs
If you want to become a computer sleuth to ferret out who has been using your PC, you’ll need to use some general logic when considering where you want to check first. There are a lot of places in your computer system that you could search through, so you want to start at the more logical and likely locations first.
For example, if you have a roommate that’s an avid gamer, and you suspect that they’re using your PC for gaming, then you’ll probably want to take a look at the Windows application log files (which I’ll show you below). Or, if you were using your laptop in a public place and you suspect one of your friends used your computer to briefly go on the Internet, then you’ll want to go after the Internet logs to confirm that. Knowing – or suspecting – where to start can dramatically reduce the amount of time it’ll take for you to confirm your suspicions.
Check Windows Logs
One tool that’s in every IT analyst’s toolbelt is checking Windows Logs to see what went wrong on a server, or why a PC continues to crash at a specific point during bootup. Windows logs can tell you a lot of information about what the computer is trying to do, and why it’s failing. The cool thing is that it also holds a lot of informational data even when things don’t go wrong. You can get there by going to the Control Panel, going to Administrative Tools, and selecting Computer Management.
Once you’re in there, just click on the Event Viewer in the left navigation bar, and you’ll see a folder for Windows Logs. Expand that folder, and you’ll see the different categories for Windows logs that you have to work with.
One of the more useful choices here is the Security log. This will show you any time someone tried to log out of or into your Windows account, or if they simply rebooted your computer during a time period when you are 100% certain you were not using your computer.
Sifting through the Application log, you’ll find that there’s a lot of useless information in there that really doesn’t mean a whole lot to the average user. However, if you carefully scrutinize the time period when you know you had left your computer unattended, you might stumble across a clue, letting you know what application the person was running on your computer, such as the example below where the user launched Windows search tool.
Windows logs can be very hit-and-miss. If you’re lucky, you’ll stumble across something that clearly proves someone was messing around with your PC while you were out. It’s difficult for anyone to argue with the date and time stamp on the activity log.
In an article a while back, Tim described a few ways to catch whether someone has been using your computer, and one method he mentioned is well-worth repeating here. Checking for recently modified files is one of the easiest ways to catch someone using your computer without permission. Of course, one of the quickest ways to see what files someone opened on your computer is to check the “Recent Items” selection in the Windows Start menu.
This might work if you’re lucky, but if the person is at all computer savvy, then they’ve probably thought to right click on “Recent Items” and select “Clear Recent Items List”, and you’re out of luck.
Well, not entirely out of luck. You can still search for recently modified files, which may not show you what files they’ve opened, but if the application they used wrote any log or error files, or otherwise changed any file at all on your computer, you’ll be able to spot those by opening Windows Explorer, clicking on the C: drive (Local Disk), and clicking in the search field and selecting “Date modified”.
Once you choose a date, you’ll get a full listing of all files that were modified on that date.
As you can see, folders like Temp and Downloads had modified files, so those could prove to be a treasure-trove of information about what the person was up to on your computer while you were away. Just sift through those files and identify applications used to modify them from the file type column. If you’re lucky, you’ll stumble across a document, log file or some other bit of information that’s dated exactly when you were away from your computer.
Of course, it should go without saying that you’ll always want to take a quick glance at the history logs for any Internet browsers that you have installed on your PC.
Having any success with this would require that the sneak who used your computer completely forgot to delete the browser’s history. Not very likely, but you never know. You could luck out!
The Last Resort: Create a Scheduled Task
A last option, if you can’t find a single trace of any activity on your PC while you’re gone, but you just know someone is messing with it, is to set up a scheduled task that sends you an email whenever your computer comes out of sleep mode, or when it first boots.
To do this, just go into scheduled tasks and create a new task. Under the General tab, make sure to set the task to run whether or not a user has logged in.
Under the trigger tag is where you’ll tell the Task Schedule when to run this particular task. In the “Begin the task” field, you’ll want to change it from “On a schedule” to something like “At startup” or “On workstation unlock”.
If none of those options are good enough for you, you can be more specific with when you want to trigger your email by selecting “On a event” from the list, and then selecting which application or system event you want to use to trigger your notification that someone is using your computer.
To find specific applications rather than just system events, you’ll need to select “Application” from this longer list, and then choose the application from the “Source” list.
For the Event ID to monitor for, you’ll either need to find the Event ID listed in the application log (as I showed you earlier in this article), or you can search for Windows Event IDs on different sites around the net.
For the Action tab, you can send a Blat command, which will issue an email. Something like:
With the following parameters:
"-body Someone is using your computer! -to firstname.lastname@example.org -subject Computer Access Alert!"
If you don’t have Blat set up on your computer and can’t issue these commands yet, make sure to check out our Blat installation article and get it set up on your PC so you can send these emails via the command line.
Another thing you can do if you don’t have the time or patience to set something up yourself, is to install software like iSpy, a tool that can monitor computer use and take screenshots automatically.
Do you have any other tips and tricks that you use to monitor when someone is messing around on your computer? What have you done to catch the culprit? Share your thoughts and experiences in the comments section below!