Pinterest Stumbleupon Whatsapp
Ads by Google

The keyboard is misplaced. Someone left some food crumbs on your desk. Your monitor is tilted at an odd angle. You know someone has been using your computer, but you don’t have any evidence to nail down the culprit. Or do you?

The truth is that the person who used your computer not only left behind crumbs of evidence on your desk, but they’ve also likely left crumbs of evidence on the computer itself, without even realizing it. No matter what someone might have done on your PC, the fact is that nearly everything you do leaves some kind of trace on a computer. You just need to know where to go in order to find that evidence.

Some of the things that can leave tracks include restarting a computer, attempting and failing to log into your Windows account, launching applications, browsing the Internet, opening files and more. In this article, I’m going to show you all of the first places you should immediately check if you suspect someone has been using your computer To Catch A Snoop: How To Tell If Someone Has Been On Your Computer To Catch A Snoop: How To Tell If Someone Has Been On Your Computer Read More behind your back, without your permission.

Uncovering the Bread Crumbs

If you want to become a computer sleuth to ferret out who has been using your PC, you’ll need to use some general logic when considering where you want to check first. There are a lot of places in your computer system that you could search through, so you want to start at the more logical and likely locations first.

For example, if you have a roommate that’s an avid gamer, and you suspect that they’re using your PC for gaming, then you’ll probably want to take a look at the Windows application log files (which I’ll show you below). Or, if you were using your laptop in a public place and you suspect one of your friends used your computer to briefly go on the Internet, then you’ll want to go after the Internet logs to confirm that. Knowing – or suspecting – where to start can dramatically reduce the amount of time it’ll take for you to confirm your suspicions.

Check Windows Logs

One tool that’s in every IT analyst’s toolbelt is checking Windows Logs to see what went wrong on a server, or why a PC continues to crash at a specific point during bootup. Windows logs can tell you a lot of information about what the computer is trying to do, and why it’s failing. The cool thing is that it also holds a lot of informational data even when things don’t go wrong. You can get there by going to the Control Panel, going to Administrative Tools, and selecting Computer Management.

Ads by Google

computer-use1

Once you’re in there, just click on the Event Viewer in the left navigation bar, and you’ll see a folder for Windows Logs. Expand that folder, and you’ll see the different categories for Windows logs that you have to work with.

computer-use2

One of the more useful choices here is the Security log. This will show you any time someone tried to log out of or into your Windows account, or if they simply rebooted your computer during a time period when you are 100% certain you were not using your computer.

computer-use3

Sifting through the Application log, you’ll find that there’s a lot of useless information in there that really doesn’t mean a whole lot to the average user. However, if you carefully scrutinize the time period when you know you had left your computer unattended, you might stumble across a clue, letting you know what application the person was running on your computer, such as the example below where the user launched Windows search tool.

computer-use4

Windows logs can be very hit-and-miss. If you’re lucky, you’ll stumble across something that clearly proves someone was messing around with your PC while you were out. It’s difficult for anyone to argue with the date and time stamp on the activity log.

Recent Files

In an article a while back, Tim described a few ways to catch whether someone has been using your computer, and one method he mentioned is well-worth repeating here. Checking for recently modified files is one of the easiest ways to catch someone using your computer without permission. Of course, one of the quickest ways to see what files someone opened on your computer is to check the “Recent Items” selection in the Windows Start menu.

computer-use5

This might work if you’re lucky, but if the person is at all computer savvy, then they’ve probably thought to right click on “Recent Items” and select “Clear Recent Items List”, and you’re out of luck.

Well, not entirely out of luck. You can still search for recently modified files, which may not show you what files they’ve opened, but if the application they used wrote any log or error files, or otherwise changed any file at all on your computer, you’ll be able to spot those by opening Windows Explorer, clicking on the C: drive (Local Disk), and clicking in the search field and selecting “Date modified”.

computer-use6

Once you choose a date, you’ll get a full listing of all files that were modified on that date.

computer-use7

As you can see, folders like Temp and Downloads had modified files, so those could prove to be a treasure-trove of information about what the person was up to on your computer while you were away. Just sift through those files and identify applications used to modify them from the file type column. If you’re lucky, you’ll stumble across a document, log file or some other bit of information that’s dated exactly when you were away from your computer.

Of course, it should go without saying that you’ll always want to take a quick glance at the history logs for any Internet browsers that you have installed on your PC.

computer-use8

Having any success with this would require that the sneak who used your computer completely forgot to delete the browser’s history. Not very likely, but you never know. You could luck out!

The Last Resort: Create a Scheduled Task

A last option, if you can’t find a single trace of any activity on your PC while you’re gone, but you just know someone is messing with it, is to set up a scheduled task that sends you an email whenever your computer comes out of sleep mode, or when it first boots.

To do this, just go into scheduled tasks and create a new task. Under the General tab, make sure to set the task to run whether or not a user has logged in.

computer-use9

Under the trigger tag is where you’ll tell the Task Schedule when to run this particular task. In the “Begin the task” field, you’ll want to change it from “On a schedule” to something like “At startup” or “On workstation unlock”.

computer-use10

If none of those options are good enough for you, you can be more specific with when you want to trigger your email by selecting “On a event” from the list, and then selecting which application or system event you want to use to trigger your notification that someone is using your computer.

computer-use11

To find specific applications rather than just system events, you’ll need to select “Application” from this longer list, and then choose the application from the “Source” list.

computer-use12

For the Event ID to monitor for, you’ll either need to find the Event ID listed in the application log (as I showed you earlier in this article), or you can search for Windows Event IDs on different sites around the net.

For the Action tab, you can send a Blat command, which will issue an email. Something like:

"c:\temp\blat\blat.exe"

With the following parameters:

 "-body Someone is using your computer! -to rdxxxxx@gmail.com -subject Computer Access Alert!"

If you don’t have Blat set up on your computer and can’t issue these commands yet, make sure to check out our Blat installation article Easily Send Command Line Emails with Blat [Windows] Easily Send Command Line Emails with Blat [Windows] Blat. Not exactly the word you envision would be the name of a tool that you can use to send out emails to anyone in the world, from any application or software tool that you... Read More and get it set up on your PC so you can send these emails via the command line.

Another thing you can do if you don’t have the time or patience to set something up yourself, is to install software like iSpy, a tool that can monitor computer use How to Track What Others Do on Your Computer With iSpy How to Track What Others Do on Your Computer With iSpy Have you ever been in a situation where you suspect someone has been using your computer, but you just aren't certain who is doing it and what they're actually doing when they're logged in? This... Read More and take screenshots automatically.

Do you have any other tips and tricks that you use to monitor when someone is messing around on your computer? What have you done to catch the culprit? Share your thoughts and experiences in the comments section below!

Photo credit: Thru Mikes Viewfinder via photopin cc

  1. evan
    July 5, 2016 at 1:33 am

    heyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

  2. George
    April 24, 2015 at 10:14 pm

    I'm suspecting one of the users are using folders that are not assigned to them on my PC, Is there a way to see what folders user viewed? Can this be found from server log file? On server MS SBS Standard 2011.

  3. shezar maghrougali
    February 18, 2015 at 7:04 am

    Sometimes when I shot down my computer, it shows me a message "Somebody is logged on your computer. Do you want to continue?"
    My question: How can I find out who is logged on my computer?

  4. Alex
    December 31, 2014 at 7:11 pm

    Unless they deleted it on the way out check the C: drive users folder and there you will find any file that was created the moment they logged in and when the file was last modified.

  5. jeber
    September 26, 2013 at 4:09 pm

    use keylogger,
    then make it superstealth, haha
    CMIIW

  6. Obama
    September 11, 2013 at 2:00 pm

    Hello dixygirl... restore event will be captured by windows... I don't think the log files get overwritten because of system restore :p

  7. srqhelpdesk.com
    September 11, 2013 at 1:28 pm

    You could use a Linux live cd or usb drive if you need to use the computer but don't want to leave traces of your activity.

  8. dxraygirl
    September 9, 2013 at 3:50 pm

    all good unless they ran "restore" to before they logged into the system. Then what?

  9. samrocky
    September 9, 2013 at 9:06 am

    its difficult to understand but its cool brother.thanks.........

  10. fosscoder
    September 6, 2013 at 5:34 pm

    Nice Article, Ryan Dube. If you don't mind I more like to tell you a most common place to look just in case if the user is suspicious that his/her PC has accessed by someone. Here is the step to check. Go to RUN -> Type "Recent" and the user can see all the files that have been opened.
    Thanks.
    fosscoder.com

  11. Danny
    September 5, 2013 at 10:55 pm

    Ryan,

    I stumbled across your page by accident and I am no tekkie. But I think a very quick and simple check for computer activity is to open Explorer and do a file search on C drive(or all drives individually) using the wildcard only for the file name and the day you want to search on to see if any files were changed.

    Also you can go to:

    C:Documents and SettingsuserLocal SettingsHistory

    and click on "Today", then click on my "My Computer" and you will see all the files that were accessed, and they too will be time stamped.

    Could you not also install a key logger as a preemptive strike?

  12. Nairuz
    September 3, 2013 at 2:32 pm

    I have followed all the steps to receive notifications to my email but did not work for me . I used this argument" -f from@gmail.com -t to@gmail.com -u Someone Logged Into Your Computer -m Someone just logged into your computer! -s smtp.gmail.com:587 -xu from@gmail.com -xp password -o tls=yes"

    why cannot get the notification to me email and is there another way to receive notifications to my email aside from ispy

  13. Joe F
    September 2, 2013 at 5:03 pm

    Nice overview of basic security checks!

  14. shaun wray
    September 1, 2013 at 10:12 am

    very interesting,very useful

  15. dragonmouth
    August 31, 2013 at 1:39 am

    A naive question perhaps, but wouldn't the login stop unauthorized use?

    If you freely share your userid/password then you deserve all that happens. OTOH, if my room mate is a hacker then I do what Minnesota Fats had his boys do to Fast Eddie Felsen, I break his fingers.

    • Ryan Dube
      August 31, 2013 at 2:40 am

      A login can - but in situations like a household, some people don't actually enable password login (I know, crazy right?)

      There's also the situation where you've walked away from your computer and someone has jumped on it before the screensaver lock kicks in - things like that.

  16. BLord
    August 31, 2013 at 1:05 am

    Great post, RD. Keep it thorough.

  17. daf
    August 30, 2013 at 2:59 pm

    in your photo for this article you have a mac but the article is only about windows. do you have the same info for mac too?

    • Ryan Dube
      August 31, 2013 at 2:38 am

      No - but thanks to your comment we may have just such an article in the works. :-)

  18. Wilfredo Jr. D
    August 29, 2013 at 11:53 pm

    Very useful info sir!

  19. Akshay G
    August 29, 2013 at 6:38 pm

    Or,one can use a key-logger/screenshot service. Although they are extreme measures,they are extremely effective tools to nab people who go thru personal data/do illegal activities in your laptop.

  20. Tony Bze
    August 29, 2013 at 5:12 pm

    Can you have this document in PDF available, plz. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *