General discussion
November 15, 2023 at 4:34 am #4192939
Event Viewer clear logs – and how to see if laptop has been used
by Oblivion99 · about 1 year, 3 months ago
Dear all
When I press the power button on my laptop, it get logged in Event Viewer i Windows.
That way I know, that the laptop has not been turned on by others than me.
Then I saw, that it is possible to clear logs.
What happens to cleared logs in Event Viewer – are they completely gone?2.
Other ways to find out, if the laptop was turned on by other than me?Thank you
All Comments
November 15, 2023 at 5:08 am #4192947
Reply To: Event Viewer clear logs – and how to see if laptop has been used
by kees_b · about 1 year, 3 months ago
In reply to Event Viewer clear logs – and how to see if laptop has been used
1. Most likely, they are still somewhere on the SSD/hard disk. But I don’t think you can find and interpret them.
2. If you see they are cleared, and you didn’t do it yourself, you know somebody else did it. That’s what you want to know. So that’s a clear “yes”.Of course, if they boot to a Linux disc or stick, the Windows event log isn’t changed. So all you know in #2 is that the laptop was not booted into Windows by somebody else.
So I would recommend the proven old method of inserting a small and unnoticeable thing like a hair or a very small piece of paper between the lid and the case when you close the laptop and check it’s still present. If it disappeared, somebody opened the laptop. But you can’t say if they booted it or just had a look. Like in old sleuth movies you can’t say if they only opened the door or actually entered the room.It might be safer to put it into the view of a security camera that logs its images to the cloud when it detects movement.
Another very easy alternative. Use any of the ways described in 1. Most likely, they are still somewhere on the SSD/hard disk. But I don’t think you can find and interpret them.
2. If you see they are cleared, and you didn’t do it yourself, you know somebody else did it. That’s what you want to know. So that’s a clear “yes”.Of course, if they boot to a Linux disc or stick, the Windows event log isn’t changed. So all you know in #2 is that the laptop was not booted into Windows by somebody else.
So I would recommend the proven old method of inserting a small and unnoticeable thing like a hair or a very small piece of paper between the lid and the case when you close the laptop and check it’s still present. If it disappeared, somebody opened the laptop. But you can’t say if they booted it or just had a look. Like in old sleuth movies you can’t say if they only opened the door or actually entered the room.It might be safer to put it into the view of a security camera that logs its images to the cloud when it detects movement.
Another rather safe way: write a small batch file to append a line with date and time to some inconspicious file that’s run (via task scheduler) at every start up. That’s your very own private and secret startup log, while the event viewer is a well known one.
November 17, 2023 at 5:27 am #4193808
Reply To: Event Viewer clear logs – and how to see if laptop has been used
by DKenn3 · about 1 year, 3 months ago
In reply to Event Viewer clear logs – and how to see if laptop has been used
Event Viewer does not allow deletion of a single events, only the entire log. So you would know if the logs have been tampered with.
The logs are stored in single files in C:\Windows\System32\winevt\Logs. They are also dated.
Why don’t you use a strong password, that would stop others using it?
November 17, 2023 at 8:09 am #4193861
Explain please
by Oblivion99 · about 1 year, 3 months ago
In reply to Reply To: Event Viewer clear logs – and how to see if laptop has been used
“Event Viewer does not allow deletion of a single events, only the entire log. So you would know if the logs have been tampered with.”
I am not sure what you mean? Can you please elaborate?Thank you
November 17, 2023 at 9:09 am #4193876
Reply To: Event Viewer clear logs – and how to see if laptop has been used
by DKenn3 · about 1 year, 3 months ago
In reply to Event Viewer clear logs – and how to see if laptop has been used
Event Viewer only allows deletion of all events in a single log, e.g. System. So if the log has been cleared by someone, the log entries would only go back to that point. If the log has not been cleared it should go back many months.
November 21, 2023 at 8:48 am #4195206
Can’t delete logs inbetween?
by Oblivion99 · about 1 year, 2 months ago
In reply to Reply To: Event Viewer clear logs – and how to see if laptop has been used
That seems weird, unless I still don’t understand.
Is it not possible to delete logs from example august, while still keeping logs from july and semptember?
I assumme, you could just find the Event Viewer data in its data folder, and then delete the logs there inbweteen, like the example above?
November 21, 2023 at 11:54 am #4195359
Re: event viewer data
by kees_b · about 1 year, 2 months ago
In reply to Can’t delete logs inbetween?
By default, Event Viewer log files use the . evt extension and are located in the %SystemRoot%\System32\winevt\Logs folder.
So please go ahead and tell us if you’re right to assume that you can delete the startup data from August. I think it’s a wrong assumption, so it’s up to you to prove that it’s possible.
You might have to google for things you don’t know.
February 26, 2024 at 2:46 pm #4218340
Reply To: Event Viewer clear logs – and how to see if laptop has been used
by johntk22 · about 11 months, 3 weeks ago
In reply to Event Viewer clear logs – and how to see if laptop has been used
Thanks for info
This reply was modified 11 months, 3 weeks ago by
This reply was modified 11 months, 3 weeks ago by