== Checking the Event Viewer on a Windows Machine ==
# Go to the "Start" menu (bottom left corner of your screen). Select "Run" on the right side of the "Start" menu. If the "Run" option doesn't automatically appear in the "Start" menu, go into the "search" bar, type in the word "Run", and push the "Enter" key. The "Run" window appears.
#* The "Window Key + R" shortcut also opens the "Run" window.
# Type "eventvwr.msc" into the "Run" window. Press the "Enter" key. The Event Viewer window appears.
# Once the "Event Viewer" window appears, on the left hand side of the window, click on the "downward facing carrot" to the left side of the "Windows Logs" folder to expand the folder. Click on "System". Your computer's event feed appears in the center of the "Event Viewer" window.
#* If you are using Windows Vista and UAC (user account control) pops up, choose "Continue"
# When the System Log is open, click on the "Date and Time" heading to filter the the actions by the most recent date and time. There are other ways to filter the content as well.
#* The log displays a list of processes. When looking for computer startup, shutdown, or restart times, look at the "Level", which should be listed as "Information". The "Event ID" would be "6005" for startup, "6006" for shutdown, "6013" for starting up again, "6009" for detecting information during a boot, and "6008" for an improper shutdown (ex holding the power button). The "Task Category" would mention more specific information, such as "Special Logon", "Logoff", etc.
#* It is also possible to filter and search through the "Event Viewer" window even deeper. Right click on the screen where the events are listed and select "Filter Current Log". A window appears with a list of options to use as filters, such as the time, event level, task category, user, etc. Click on the "OK" button once you've selected your desired filters.
# For further information regarding the task in question, double click on the task you wish to delve further into to open the "Event Properties" menu. A new window pops up providing a description of the task. The description would specifically mention the occurrence of a shutdown, login, reboot, etc.
== Checking the Recently Opened Files on a Windows Machine ==
# Go to the "Start" menu (bottom left corner of your screen). On the right pane of the "Start" menu, click on "Recent Items". A new window appears.
# In the new window, open your "C:" drive. The contents appear in the same window.
# On the top right corner where it says "C:" in the search bar with the magnifying glass. Type something into the bar and a little flyout menu appears. In the flyout menu, select "date modified". You can select the date in which you want to filter by. A bunch of files and some folders will be sorted within your open window.
# The folders that appear are "Desktop", "Downloads", and "Temp". Click on the folders to view the contents. If you see a log file or a recently edited file, your computer has been used!
== Checking the Console Window on a Mac Machine ==
# Open the "Spotlight" menu by clicking on the "Magnifying Glass" icon in the top right corner of your screen next to where it says the time. Type in "Console" to open the console window. A new window appears.
#* The "Spotlight" menu also opens by pressing the "Command + Spacebar" keys.
# In the "Console" window, in the search bar in the top right corner, search for the word "Wake" to search the console for events that could have woken the computer up.
# Scroll to the bottom of the window to view more recent events.
# When searching for events that could represent the computer being woken up, some displayed codes (next to Kernel commands) are “EC.LidOpen (User)” or “LID0” to indicate the Mac was woken up by opening the screens lid (on a laptop), as well as “EHC” or “EHC2” to denote the Mac was woken up by the keyboard or trackpad. Most codes can easily be deciphered and are preceded by the time kernel: Wake reason:___.
== Tips ==
*When you're entering "eventvwr.msc" in the "Run" window, you may not need to type out the ".msc" extension. Some versions of Windows may require the extension and it's best to type it out just in case.
*You can also see a custom history of your computer log files from the "Event Viewer".
*Your internet browser history can also give some insight as to whether your computer has been used or not.
*Make sure you don't mistake a scheduled task for someone else touching your computer.
*On a Mac, the wake information can be found via the command line with the command: "syslog |grep -i "Wake reason", but it doesn't register failed boot/login attempts or data from waking a screensaver.
*Make sure to password protect and safeguard your computer, especially if valuable/sensitive information is on it!
== Warnings ==
*Don't move, modify, or delete a file you don't know the function of. You could potentially mess with a systems file, which would mess up your computer).
*These instructions do not work with Windows XP.
*Make sure while performing these tasks on a Windows machine, you're logged into the "Administrator" settings. Otherwise, you won't be granted certain access privileges.
*If you're trying to see the recently opened files and you cleared the file list, it cannot be retrieved unless you complete another process.
No comments:
Post a Comment