General discussion

  • Creator
    Topic
  • #4192939

    Event Viewer clear logs – and how to see if laptop has been used

    by Oblivion99 ·

    Dear all

    When I press the power button on my laptop, it get logged in Event Viewer i Windows.

    That way I know, that the laptop has not been turned on by others than me.

    Then I saw, that it is possible to clear logs.

    1.
    What happens to cleared logs in Event Viewer – are they completely gone?

    2.
    Other ways to find out, if the laptop was turned on by other than me?

    Thank you

You are posting a reply to: Event Viewer clear logs – and how to see if laptop has been used

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Comments

  • Author
    Replies
    • #4192947
      Avatar photo

      Reply To: Event Viewer clear logs – and how to see if laptop has been used

      by kees_b ·

      In reply to Event Viewer clear logs – and how to see if laptop has been used

      1. Most likely, they are still somewhere on the SSD/hard disk. But I don’t think you can find and interpret them.
      2. If you see they are cleared, and you didn’t do it yourself, you know somebody else did it. That’s what you want to know. So that’s a clear “yes”.

      Of course, if they boot to a Linux disc or stick, the Windows event log isn’t changed. So all you know in #2 is that the laptop was not booted into Windows by somebody else.
      So I would recommend the proven old method of inserting a small and unnoticeable thing like a hair or a very small piece of paper between the lid and the case when you close the laptop and check it’s still present. If it disappeared, somebody opened the laptop. But you can’t say if they booted it or just had a look. Like in old sleuth movies you can’t say if they only opened the door or actually entered the room.

      It might be safer to put it into the view of a security camera that logs its images to the cloud when it detects movement.

      Another very easy alternative. Use any of the ways described in 1. Most likely, they are still somewhere on the SSD/hard disk. But I don’t think you can find and interpret them.
      2. If you see they are cleared, and you didn’t do it yourself, you know somebody else did it. That’s what you want to know. So that’s a clear “yes”.

      Of course, if they boot to a Linux disc or stick, the Windows event log isn’t changed. So all you know in #2 is that the laptop was not booted into Windows by somebody else.
      So I would recommend the proven old method of inserting a small and unnoticeable thing like a hair or a very small piece of paper between the lid and the case when you close the laptop and check it’s still present. If it disappeared, somebody opened the laptop. But you can’t say if they booted it or just had a look. Like in old sleuth movies you can’t say if they only opened the door or actually entered the room.

      It might be safer to put it into the view of a security camera that logs its images to the cloud when it detects movement.

      Another rather safe way: write a small batch file to append a line with date and time to some inconspicious file that’s run (via task scheduler) at every start up. That’s your very own private and secret startup log, while the event viewer is a well known one.

      • This reply was modified 6 months, 1 week ago by Avatar photokees_b.
      • This reply was modified 6 months, 1 week ago by Avatar photokees_b.
      • This reply was modified 6 months, 1 week ago by Avatar photokees_b.
    • #4193808

      Reply To: Event Viewer clear logs – and how to see if laptop has been used

      by DKenn3 ·

      In reply to Event Viewer clear logs – and how to see if laptop has been used

      Event Viewer does not allow deletion of a single events, only the entire log. So you would know if the logs have been tampered with.

      The logs are stored in single files in C:\Windows\System32\winevt\Logs. They are also dated.

      Why don’t you use a strong password, that would stop others using it?

    • #4193876

      Reply To: Event Viewer clear logs – and how to see if laptop has been used

      by DKenn3 ·

      In reply to Event Viewer clear logs – and how to see if laptop has been used

      Event Viewer only allows deletion of all events in a single log, e.g. System. So if the log has been cleared by someone, the log entries would only go back to that point. If the log has not been cleared it should go back many months.

      • #4195206

        Can’t delete logs inbetween?

        by Oblivion99 ·

        In reply to Reply To: Event Viewer clear logs – and how to see if laptop has been used

        That seems weird, unless I still don’t understand.

        Is it not possible to delete logs from example august, while still keeping logs from july and semptember?

        I assumme, you could just find the Event Viewer data in its data folder, and then delete the logs there inbweteen, like the example above?

        • #4195359
          Avatar photo

          Re: event viewer data

          by kees_b ·

          In reply to Can’t delete logs inbetween?

          By default, Event Viewer log files use the . evt extension and are located in the %SystemRoot%\System32\winevt\Logs folder.

          So please go ahead and tell us if you’re right to assume that you can delete the startup data from August. I think it’s a wrong assumption, so it’s up to you to prove that it’s possible.
          You might have to google for things you don’t know.

    • #4218340

      Reply To: Event Viewer clear logs – and how to see if laptop has been used

      by johntk22 ·

      In reply to Event Viewer clear logs – and how to see if laptop has been used

      Thanks for info

      • This reply was modified 2 months, 4 weeks ago by johntk22.
Viewing 3 reply threads