How to Check Windows Login History in Windows 10 and Windows 11

Overview

How to See Who Logged Into Windows 10 or Windows 11

Windows records many authentication-related events in the built-in Security log. By checking these events, you can find out when someone signed in, whether the sign-in was local or remote, which account was used, and whether there were failed password attempts.

The most useful built-in tool for this task is Event Viewer. You can also use PowerShell for faster filtering, Command Prompt for basic account information, and the Microsoft account security page if you sign in with a Microsoft account.

ℹ️

Good to Know You usually need administrator rights to view the full Security log. Standard users may not see all logon audit events.

What You Can Find

Successful local logins to the PC.
Failed password attempts.
Remote Desktop logon sessions.
Computer lock and unlock events.
Account names, timestamps, logon types, and source computer names.

Reference

Windows Login Event IDs You Should Know

Before checking the logs, it helps to know the most common event IDs. These numbers are used by Windows to identify specific logon and account events.

4624 Successful account logon. This is the main event for finding successful sign-ins.

4625 Failed logon attempt. Useful for checking incorrect password attempts or unauthorized access attempts.

4634 Account logoff. Shows when a logon session ended.

4647 User-initiated logoff. Indicates that the user actively signed out.

4800 Workstation locked. Appears when the computer is locked.

4801 Workstation unlocked. Appears when the computer is unlocked.

Common Logon Types

Logon Type	Meaning	Example
`2`	Interactive logon	Someone signed in at the keyboard and screen.
`3`	Network logon	Access to a shared folder or network resource.
`7`	Unlock	User unlocked a previously locked session.
`10`	Remote interactive logon	Remote Desktop connection.
`11`	Cached interactive logon	Domain user signed in using cached credentials.

Method 1

Check Windows Login History Using Event Viewer

Event Viewer is the easiest graphical method for checking Windows sign-in history. It works in both Windows 10 and Windows 11.

Press Win + R.
Type eventvwr.msc and press Enter.
In the left panel, open Windows Logs.
Select Security.
Look for events with ID 4624 for successful sign-ins and 4625 for failed sign-ins.

Event Viewer → Windows Logs → Security

Click an event and open the General tab. Look for fields such as Account Name, Logon Type, Workstation Name, Source Network Address, and Failure Reason.

⚠️

Important A single real user sign-in can generate multiple events. Windows records background processes, services, network access, and system authentication events as well. Always check the Logon Type before drawing conclusions.

Method 2

Filter Successful and Failed Login Attempts in Event Viewer

The Security log can contain thousands of events. Filtering by event ID makes it much easier to find only the sign-in records you need.

Filter Successful Logins

Open Event Viewer.
Go to Windows Logs → Security.
Click Filter Current Log on the right.
In the <All Event IDs> field, enter 4624.
Click OK.

Filter Failed Login Attempts

Open the same Filter Current Log window.
Enter 4625 in the event ID field.
Click OK.
Open an event and check Failure Reason and Account Name.

To check several event types at once, enter them separated by commas:

4624,4625,4634,4647,4800,4801

Method 3

Use PowerShell to Check Windows Login History

PowerShell is faster when you want to search recent logon events without manually browsing Event Viewer. Open Windows Terminal or PowerShell as administrator and run the commands below.

Show Recent Successful Logins

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 20 |
Select-Object TimeCreated, Id, ProviderName, Message

Show Recent Failed Login Attempts

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 20 |
Select-Object TimeCreated, Id, ProviderName, Message

Show Login, Logout, Lock, and Unlock Events Together

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4634,4647,4800,4801} -MaxEvents 50 |
Select-Object TimeCreated, Id, Message

💡

Tip PowerShell output can be very long because the Message field contains the full event text. Use Event Viewer if you prefer a visual interface.

Method 4

Check Basic User Login Information with Command Prompt

Command Prompt does not show the full Security log as clearly as Event Viewer or PowerShell, but it can show useful account details.

Check Last Logon Information for a Local User

net user username

Replace username with the actual Windows account name. Look for the Last logon line.

Show Currently Logged-in Users

query user

On some systems, the shorter command quser also works.

Show the Current User

whoami

⚠️

Limitation The net user command is useful for quick account checks, but it is not a complete login audit trail. For detailed sign-in history, use the Security log.

Method 5

Check Remote Desktop Login History in Windows

If you want to know whether someone connected through Remote Desktop, check for logon type 10 in event ID 4624. This indicates a remote interactive logon.

Open Event Viewer.
Go to Windows Logs → Security.
Filter by event ID 4624.
Open an event and check the Logon Type field.
If the value is 10, the sign-in was made through Remote Desktop.

You can also check this log for Remote Desktop session activity:

Applications and Services Logs → Microsoft → Windows → TerminalServices-LocalSessionManager → Operational

Method 6

Check Microsoft Account Sign-in Activity

If you use a Microsoft account to sign in to Windows, local Event Viewer records Windows logon activity, but Microsoft account security activity is checked online.

Open your browser.
Go to the Microsoft account security page.
Open Sign-in activity or Recent activity.
Review successful sign-ins, failed attempts, locations, devices, and IP-related information.

This is especially useful if you suspect that someone tried to access your Microsoft account from another device or location.

Audit Settings

How to Enable Logon Auditing in Windows

Most Windows installations already record important logon events, but if the Security log does not contain the expected records, check the audit policy.

Enable Audit Logon Events in Local Security Policy

Press Win + R.
Type secpol.msc and press Enter.
Open Local Policies → Audit Policy.
Double-click Audit logon events.
Enable Success and Failure.
Click OK.

ℹ️

Windows Home Note Some editions of Windows do not include the Local Security Policy console. In that case, use Command Prompt or PowerShell with administrator rights.

Enable Logon Auditing from Command Prompt

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Check Current Audit Policy

auditpol /get /subcategory:"Logon"

Troubleshooting

Why Windows Login History May Be Missing

If you cannot find sign-in events, one of the following reasons is usually responsible:

Auditing is disabled: enable success and failure auditing for logon events.
The Security log was cleared: Event Viewer records log clearing as a separate administrative event.
The log was overwritten: older events may disappear when the maximum log size is reached.
You are not an administrator: use an admin account to read the Security log.
You are checking the wrong event type: network access, unlock events, RDP sessions, and local sign-ins use different logon types.

Increase Security Log Size

Open Event Viewer.
Right-click Windows Logs → Security.
Select Properties.
Increase Maximum log size.
Choose whether Windows should overwrite old events or archive the log.

FAQ

Frequently Asked Questions About Windows Login History

Can I see the exact password used in a failed login attempt?

No. Windows does not store or display entered passwords in Event Viewer. You can see that a login failed, which account was targeted, and sometimes the failure reason, but not the password itself.

How do I know if someone logged into my PC while I was away?

Check event ID 4624 in the Security log and look for logon type 2, 7, or 10. Also check lock/unlock events 4800 and 4801.

Does Windows keep login history forever?

No. Events remain only while they are still inside the Security log. If the log reaches its size limit, old records may be overwritten depending on the log settings.

Can I check login history without administrator rights?

In most cases, no. Viewing the full Security log requires administrator privileges.

What is the best way to check failed password attempts?

Use Event Viewer and filter the Security log by event ID 4625. Open each event and review Account Name, Failure Reason, and source information.

Summary

Summary: Best Ways to View Windows Sign-in History

The most complete way to check Windows login history is to open Event Viewer → Windows Logs → Security and filter by event IDs such as 4624 for successful sign-ins and 4625 for failed attempts. For faster searching, use PowerShell. For quick account information, use net user, query user, and whoami.

If you need reliable future records, make sure logon auditing is enabled and increase the Security log size so older login events are not overwritten too quickly.