How to Check Successful or Failed Login Attempts on Your Windows Computer
Windows lets you create multiple user accounts to let multiple users use a single computer. But what if you suspect someone to have accessed your PC or user account without your knowledge?
While physically monitoring your computer all the time is not feasible for most people, the built-in Windows log utility, Event Viewer, can reveal the recent activities on your computer, including login attempts. Here we show you how to audit failed and successful login attempts in Windows using Event Viewer and other methods.
How to Enable Logon Auditing via Group Policy Editor
You need to enable logon auditing in Group Policy Editor to be able to view login audit in Event Viewer. While this feature may be enabled by default on some computers, you may also enable logon auditing manually by following these steps.
Note that Group Policy Editor is only available on the Pro, Edu, and Enterprise edition of the Windows OS. If you are on the Home edition, follow our guide toenable gpedit in the Windows home edition.
Note that if you don’t configure your Group Policy for Logon Auditing, you can only view the successful login attempts in Event Viewer.
Once you have the Group Policy Editor enabled, follow these steps to enable logon auditing:
Close Group Policy Editor and move to the next set of steps to view login attempts in Event Viewer.
How to View Failed and Successful Login Attempts in Event Viewer
TheEvent Viewerlets you view Windows logs for the application, security, system, and other events. While a useful application to troubleshoot system issues, it’s possible to use it to audit login events on your Windows PC.
Follow these steps to view failed and successful login attempts in Windows:
How to Decipher the Logon Entries in Event Viewer
While Event ID 4624 is associated with logon events, you will likely find multiple instances of this entry occurring every few minutes in the log. This is due to Event Viewer recording every logon event (whether from the local user account or system services such as Windows Security) with the same event ID(Event 4624).
To identify the source of login, right-click on the event record and selectProperties. In theGeneraltab, scroll down and locate theLogon informationsection. Here, theLogon Typefield indicates the kind of logon that occurred.
For example,Logon Type 5indicates a service-based login, whileLogon Type 2indicates user-based login. Know more about the different logon types in the table below.
Next, scroll down to theNew Logonsection and locate theSecurity ID. This will show the user account that was affected by the logon.
Similarly, for failed login attempts, reviewEvent ID 4625. In thePropertiesdialog, you can find reasons for the failed login attempt and the affected user account. If you find multiple instances of unsuccessful attempts, consider learninghow to limit the number of failed login attempts to protect your Windows PC.
Below is the list of all nineLogon Typesfor logon events that you may encounter reviewing login events in Event Viewer:
Logon Type
Description
Logon Type 2
A local user logged on to this computer.
Logon Type 3
A user logged on to this computer from the network.
Logon Type 4
Batch logon type without user intervention – Scheduled Tasks, etc.
Logon Type 5
Logon by system service started by Service Control Manager – Most common type
Logon Type 7
System unlocked by a local account user
Logon Type 8
NetworkClearText - Logon attempted over the network where the password was sent as clear text.
Logon Type 9
NewCredentials – triggered when a user uses the RunAs command with the /netonly option to start a program.
Logon Type 10
RemoteInteractive – Generated when a computer is accessed via a remote access tool such as Remote Desktop Connection.
Logon Type 11
CachedInteractive – When the user logged on to the computer via console using the cached credentials when the domain controller is not available.
How to View the Last Logon History Using Command Prompt
You can use the Command Prompt to view the last login attempt. It is a handy way to find user-based login attempts without having to go through all the logon events in Event Viewer.
To view the login history of a specific user using Command Prompt:
Viewing Failed and Successful Login Attempts in Windows
If you suspect someone to have logged in to your PC, the Event Viewer will likely catch and record the attempt. For this to work, you must enable the Logon Auditing policy in Group Policy Editor. You can also use Command Prompt to view a specific user’s login history.
That said, anyone who knows their way around Event Viewer can easily clear the logs. So, if anything, beefing up your Windows computer security is the best way to prevent unauthorized access. you could begin by limiting the number of failed login attempts on your Windows PC.
Windows 11 is definitely better than its predecessors when it comes to security. Here are some ways to dial it up even more.
My foolproof plan is to use Windows 10 until 2030, with the latest security updates.
Not Linux, not Windows. Something better.
Not all true crime is about hacking, slashing, and gore.
Your phone is a better editor than you give it credit for.
Free AI tools are legitimately powerful; you just need to know how to stack them.
