Systematic hacks: Turn on the login audit to monitor the use of the machine

When you enable the audit function of Windows 10 system, the system will track and record the system usage events. Using the system audit feature, we can not only troubleshoot the system based on its operational status, but also monitor the actions performed by users on the computer. If you want to determine whether someone else has logged on to your computer without using it, you can find out with the help of Windows Event Viewer by ensuring that the system logon audit feature is enabled.

1. Enabling Login Audit via Group Policy

By default, Windows Logon Audit policy is turned off, we need to turn on this feature first. Press the Win+R key combination to start the “Run” program box, type GPEDIT.MSC in the Run box and enter to start the Group Policy Editor (Figure 1).


In the left pane navigation bar of Group Policy Editor, locate “Computer Configuration→Windows Settings→Security Settings→Local Policies”, and then click the “Audit Policy” group under it to display the various audit items it contains (Figure 2).


Next, double-click on the various audit policies in the right pane list, especially “Audit Login Events” and “Audit Account Login Events”, check both the “Success” and “Failure” options in the list of audit actions, and finally click the “Apply” and “Confirm” buttons (Figure 3).


2. View illegal logins through Event Viewer

Right-click the Windows 10 Start button and then click the Event Viewer option in the pop-up menu to launch the Event Viewer (Figure 4).


In the left navigation bar of the Event Viewer window, click “Windows Log→Security” in order; then a number of entries with logon dates and time stamps will appear in the middle pane (Figure 5). Since Windows records many logon entries within a few minutes each time you log on, you can use this to determine when the system was logged on.


Double-click on the “Task Category” entry for Special Logon, and in the “Time Properties” window that opens, you can see the login account name, account domain, and other information (Figure 6). In addition, the “Filter Current Log” link on the right side of the event window allows you to filter the log records according to the situation, so that you can locate and deepen the logging situation more quickly and accurately.


Although the logs of these system logins can be seen in the event window above, it is perfectly possible for an intruder smart enough to clear all event logs after access. To prevent this from happening, we can set it up so that the system remembers the events of the last login and so that this information cannot be deleted. To do this, it is necessary to resort to the Registry Editor to accomplish the task.

Press the Win+R key combination to launch the “Run” dialog and type REGEDIT to open the Registry Editor. In the Registry Editor, locate “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” in order (Figure 7).


Right-click on the System item and select “New → DWORD (32-bit) Value” to create a new DWORD value (Figure 8).


Subsequently, the name of the new value is modified to DisplayLastLogonInfo, double-click to edit the DisplayLastLogonInfo value, modify its “value data” to 1, and then click “OK” (Figure 9). This way, the next time you log on to your computer, you will first see the time of your last Windows login and a record of any failed attempts to log on to the system, whether by yourself or by a stranger, and you will be prompted.


Tip: The above changes are for Windows 10 systems in Professional Edition and above. Home Edition Windows systems do not have the built-in Group Policy feature, but because the audit feature and event tracking are enabled, the above process does not need to be performed and still does not affect viewing tracked events.

Security auditing is very important for both personal computers and systems in businesses. Since the audit log can record whether there is a breach of security, if there is an intrusion, the event log generated by the correct audit log setting will contain very useful information about the intrusion and provide an important basis for further investigation and judgment of the intrusion, therefore, individuals or departments that are sensitive to data security should make full use of this feature setting.

Leave a Comment