How to Audit Recent Login Activity and Failed Sign-In Attempts on Windows

What Causes This?

Windows records successful and failed sign-in attempts in the Security event log, but this only helps if login auditing is enabled and you know where to look. Suspicious login activity can come from someone using your PC without permission, repeated password guessing, remote access attempts, or a saved credential being used by an app or service. In some cases, normal system tasks can also create failed sign-in events, which is why reviewing the details matters.

Common Symptoms

• You notice failed password messages even when you did not try to sign in
• Your account shows a recent login at a time you were away from the PC
• The PC wakes, unlocks, or resumes with signs someone used it
• You see repeated account lockouts or password prompts
• Security logs contain many failed sign-in attempts from the same account

How to Fix It Manually

1. Open Event Viewer

   • Press Win + X and click Event Viewer.
   • In the left pane, expand Windows Logs and select Security.
   • This log contains login-related events such as successful and failed sign-ins.

2. Filter for sign-in events

   • In the right pane, click Filter Current Log.
   • In All Event IDs, enter: 4624,4625,4634,4647,4778,4779
   • Click OK.
   • These common IDs mean:
     • 4624 = successful login
     • 4625 = failed login
     • 4634 = logoff
     • 4647 = user initiated logoff
     • 4778/4779 = Remote Desktop session reconnect/disconnect

3. Review failed sign-in attempts first

   • Click an event with ID 4625.
   • In the lower pane, look for:
     • Account Name
     • Logon Type
     • Source Network Address
     • Failure Reason
   • Pay attention to repeated failures from the same account or IP address.
   • Common logon types:
     • 2 = local console sign-in
     • 3 = network access
     • 7 = unlock
     • 10 = Remote Desktop

4. Check recent successful logins

   • Open an event with ID 4624.
   • Confirm the Account Name, Time Created, and Logon Type.
   • If you see a successful login after many failures, especially from a remote or unusual source, investigate immediately.
   • Compare the timestamp with when you were actually using the PC.

5. Enable auditing if the Security log is missing useful data

   • Press Win + R, type secpol.msc, and press Enter.
   • Go to Local Policies > Audit Policy.
   • Double-click Audit logon events.
   • Check Success and Failure, then click OK.
   • If you use Windows Home and do not have Local Security Policy, auditing may already be managed differently or be limited.

6. Take action on suspicious activity

   • Change the password for the affected Windows account immediately.
   • If you use a Microsoft account, change it at account.microsoft.com and review recent account activity there too.
   • Disable Remote Desktop if you do not use it: open Settings > System > Remote Desktop and turn it Off.
   • Run Windows Security > Virus & threat protection and perform a scan.

7. Clear up patterns and preserve evidence

   • In Event Viewer, use Find in the right pane to search for your username.
   • Save suspicious events: right-click Security and choose Save All Events As if you want a record before making changes.
   • Look for repeated failures at regular intervals, which can point to a service, scheduled task, or attack attempt.

Fix It Automatically with Kudu

Kudu can help surface suspicious login patterns without making you dig through Event Viewer by hand. It checks for security-related issues, highlights unusual account activity, and helps you spot repeated failed sign-ins or settings that increase risk.

Download Kudu Free →