How to Check Windows Event Logs for Signs of Unauthorized Access

What Causes This?

Signs of unauthorized access usually appear in Windows Event Logs after someone successfully signs in, repeatedly fails sign-in attempts, changes account settings, or modifies security policies. These events can come from a real attacker, malware using stolen credentials, or even a legitimate user account being misused. In many cases, the problem starts with weak passwords, exposed remote access, reused credentials, or a device that has not been reviewed for suspicious account activity.

Common Symptoms

• You notice login attempts at unusual times
• Your account gets locked out or shows repeated failed sign-ins
• Security settings, user accounts, or audit policies change unexpectedly
• Remote Desktop or network logins appear that you do not recognize
• Event Viewer shows frequent security warnings or account management events

How to Fix It Manually

1. Open Event Viewer and go to the Security log.

   • Press Win + S, type Event Viewer, and open it.
   • In the left pane, expand Windows Logs.
   • Click Security.

2. Filter the log for important sign-in and account events.

   • In the right pane, click Filter Current Log.
   • In Event IDs, enter: 4624, 4625, 4634, 4648, 4672, 4720, 4726, 4732, 4738, 4719
   • Click OK.
   • These IDs help you spot successful logins, failed logins, logoffs, explicit credential use, admin-level access, user account creation/deletion, group membership changes, account changes, and audit policy changes.

3. Review suspicious login events closely.

   • Double-click an event such as 4624 or 4625.
   • Check fields like Account Name, Logon Type, Source Network Address, Workstation Name, and Time Created.
   • Pay attention to:
     • Logon Type 10 for Remote Desktop
     • Logon Type 3 for network access
     • Repeated 4625 failures from the same IP or account
     • 4672 events showing elevated privileges assigned at logon

4. Look for account and policy changes.

   • In the filtered Security log, review:
     • 4720 for a user account created
     • 4726 for a user account deleted
     • 4732 for a user added to a privileged group
     • 4738 for account changes
     • 4719 for audit policy changes
   • If you see these events and did not make the change, treat them as suspicious.

5. Check related logs for supporting evidence.

   • In Event Viewer, expand Applications and Services Logs > Microsoft > Windows.
   • Review logs such as TerminalServices-LocalSessionManager and RemoteDesktopServices-RdpCoreTS if you suspect Remote Desktop access.
   • Compare timestamps with Security log events to confirm what happened and when.

6. Secure the PC if you find suspicious activity.

   • Disconnect the PC from the internet if active abuse is ongoing.
   • Change passwords for affected Windows, Microsoft, email, and admin accounts.
   • Disable Remote Desktop if you do not use it: press Win + I > System > Remote Desktop > turn it Off.
   • Remove unknown accounts: press Win + R, type lusrmgr.msc, and check Users and Groups if your Windows edition supports it.
   • Run a full Windows Security scan: open Windows Security > Virus & threat protection > Scan options > Full scan.

7. Save evidence for later review.

   • In Event Viewer, right-click Security and choose Save All Events As.
   • Save the log file before clearing anything so you can review it later or share it with IT support.

Fix It Automatically with Kudu

Kudu can help review Windows security settings, spot risky configuration changes, and surface problems that may point to unauthorized access without making you dig through Event Viewer alone. It gives you a faster way to catch weak points, clean up unsafe settings, and improve your PC’s overall security posture.

Download Kudu Free →