How to Check User Login History in Windows 11/10 - Windows Basics


Thursday, May 25, 2023

How to Check User Login History in Windows 11/10

When a user logs into your computer, their information gets stored and one can easily their details. In this tutorial, we will be talking about how to check the User Login History in Windows 11/10 or Windows Server.

As long as you have the password, logging into the user account in Windows 10 is pretty straightforward. Just type the password and press the Enter button. Though not every day, there might be situations where you need to know the exact time when a user is logged into the computer. i.e., check Windows 10/11 user login history. For example, maybe you want to enforce strict usage timing for the family PC, monitor unauthorized access, troubleshoot a specific login access problem, etc.

1. Windows 10 / 11 user login history using Event Viewer

1. Type event viewer on the search box and then open the Event Viewer app.

2. Expand the Windows Logs and select Security.

3.  In Security logs, open one-by-one all the events with Event ID 4624 (or 4648), and find which one has as Logon Type = 2 & at Account Name shows the username of a user (and not SYSTEM, NETWORK SERVICE, etc.).* Finally, view the Logged time, to see the login time and date of the user.

4. To view the Logoff times of a user, see the events with Event ID 4647.*

* Note: To make you life easier, Create a custom view and type 4624 or 4648 for Logon, or 4647 for Logoff, or see the next method.


2. Check Windows 10 / 11 User Login History Using Powershell
1. Run Powershell with admin right.
2. Then paste the below code in PowerShell.
Get-EventLog security | Where-Object {$_.TimeGenerated -gt '2/10/20'} | Where-Object {($_.InstanceID -eq 4634) -or ($_.InstanceID -eq 4624)} | Select-Object Index,TimeGenerated,InstanceID,Message
  • - Get-EventLog: allows you to access the Event Log in both local and remote computers.
  • - First Where-Object: uses the variable $.EventID for comparing the Event ID property with the specified value. Here, we specify the date.
  • - First Where-Object: specify the two Event IDs that you want.Here, value = 4634 (EventId for login)
  • - Select-Object: Allows us to return only the output columns that we want to have.
Also, you can use the following Powershell Script:

Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624}
Here "Get-WinEvent -FilterHashtable @Logname='Security';ID=4624" searches the "Security" event log for events with ID 4624.

Note: Exporting the above records in CSV File
Here is the script:
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624} | Export-CSV D:\UserLoginHistory.csv
The output of the user login log is exported here using the "Export-CSV" command, and the resulting CSV file can be opened in Excel or another program of your choosing. In this particular instance, we are exporting the output to a file known as "UserLoginHistory.csv," which can be found on the drive designated by the letter D.

3. View Logon & Logoff Times with WinLogOnView.

In my opinion, the easiest way to see all users' login and logout history, is by using the third-party utility WinLogOnView by NirSoft. To do that:

1. Download WinLogOnView and extract the ZIP file to a folder.

2. Explore the extracted folder and run the WinLogOnView application.

3. On your screen you will see the login and logout time of each computer user, the total duration of their connection and the IP address from which they connected ( = locally).

That's it! Which method worked for you?

Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

No comments:

Post a Comment