How to view user login activity on Windows

Reviewing sign-in activity in Windows supports incident response, compliance auditing, and everyday troubleshooting. Successful and failed logons can reveal unexpected remote access, repeated password-guessing attempts, or the exact time a user session started.

Windows Event Log stores authentication records in the Security log and surfaces them through Event Viewer. The Microsoft-Windows-Security-Auditing source assigns a numeric Event ID to each authentication outcome, so filtering on IDs such as 4624 and 4625 isolates logon activity without wading through unrelated entries.

Some environments restrict access to the Security log or disable auditing via Group Policy, so empty results can reflect policy rather than absence of logons. Security logs can also overwrite older entries when the log reaches its maximum size, making retention settings important for long investigations. Domain-joined systems may record additional authentication events on domain controllers, while local machines keep only local security events.

Related: How to check system logs on Windows

Steps to view login logs using Event Viewer:

  1. Open the Run dialog with Windows + R.
  2. Enter eventvwr.msc and press Enter.
  3. Expand Windows Logs in the left pane.
  4. Select Security.

    Access is denied indicates insufficient privileges, so relaunch Event Viewer with Run as administrator.

  5. Open the filter dialog from ActionsFilter Current Log….
  6. Choose a time window from Logged: to limit results.

    Short ranges (for example, Last 24 hours) reduce noise when investigating a specific incident window.

  7. Enter 4624,4625 in Event IDs and click OK. 
    4624: Successful logon
4625: Failed logon

    Additional useful filters include 4634 (logoff), 4647 (user-initiated logoff), 4778/4779 (RDP reconnect/disconnect), and 1102 (audit log cleared).

  8. Restrict the results to one account using User:Select Users….

    Use the same name shown in events (for example, EXAMPLE\\j.smith or WORKSTATION-01\\localuser) to avoid filtering the wrong identity.

  9. Sort the filtered list by Date and Time to focus on the most recent activity.
  10. Double-click an entry to view logon details like Account Name, Logon Type, and Source Network Address. 
    Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Event ID: 4624
Task Category: Logon
##### snipped #####
New Logon:
  Account Name: ExampleUser
  Account Domain: EXAMPLE
Logon Information:
  Logon Type: 10
Network Information:
  Source Network Address: 203.0.113.25
##### snipped #####

    Logon Type commonly appears as 2 (interactive at the console), 3 (network access), 10 (remote interactive, often RDP), and 7 (workstation unlock), and the New Logon section identifies the account that signed in.

  11. Export the filtered events from ActionsSave All Events As….

    Saving as .evtx preserves full event structure for later review, while .csv is convenient for spreadsheets but can flatten nested fields.

  12. Confirm the log contains the expected activity for the chosen time range.

    No matching events can indicate auditing is disabled (Advanced Audit Policy under Logon/Logoff) or older entries have rolled off due to Security log size and retention settings.