Event Viewer clear logs - and how to see if laptop has been used

Dear all

When I press the power button on my laptop, it get logged in Event Viewer i Windows.

That way I know, that the laptop has not been turned on by others than me.

Then I saw, that it is possible to clear logs.

1.
What happens to cleared logs in Event Viewer - are they completely gone?

2.
Other ways to find out, if the laptop was turned on by other than me?

Thank you

dalchina said:

I suppose you could do a global search for files modified after a certain date... just to check what's changed..

Don't set up your laptop to log you in automatically into an account, and leave the default to require the user to enter a password or PIN after resuming.

I already have a strong password for my user / only user

But would be nice to know, if someone powered on the laptop and had intentions of trying something / hacking

- - - Updated - - -

Hearsepilot said:

I suggest you protect your machine with a strong user password or pin.

I already have a strong password for my user / only user

But would be nice to know, if someone powered on the laptop and had intentions of trying something / hacking

If, from an admin level CMD or POWERSHELL prompt you run powercfg /sleepstudy an html file is created at windows\system32\sleepstudy-report.html
In it there is a table showing active times, whether on battery or AC and, usefully when a shutdown occurs. See attached...



The 2 SHUTDOWN entries at 1048 and 1101 were restarts installing .NET updates today.
The SHUTDOWN entry at 1700 was a real shutdown and power off initiated by me. The Active entry immediately after shows the laptop has been powered back on - obviously initiated by me and quite legitimate!

If you were to run the sleepstudy after you powered your laptop on and there was no Active time other than when you were expecting it then it hasn't been powered on. I don't know where the data for the sleepstudy comes from but I guess it is part of Windows ACPI power/battery management.
Hope this might help ....

Saints76 said:

If, from an admin level CMD or POWERSHELL prompt you run powercfg /sleepstudy an html file is created at windows\system32\sleepstudy-report.html
In it there is a table showing active times, whether on battery or AC and, usefully when a shutdown occurs. See attached...



The 2 SHUTDOWN entries at 1048 and 1101 were restarts installing .NET updates today.
The SHUTDOWN entry at 1700 was a real shutdown and power off initiated by me. The Active entry immediately after shows the laptop has been powered back on - obviously initiated by me and quite legitimate!

If you were to run the sleepstudy after you powered your laptop on and there was no Active time other than when you were expecting it then it hasn't been powered on. I don't know where the data for the sleepstudy comes from but I guess it is part of Windows ACPI power/battery management.
Hope this might help ....

Thank you

Great input

Would it be possible to change this list, for someone to cover his tracks?

I do not know how to amend/alter/delete these entries. To alter them probably requires the laptop to be powered on. But powering it down produces the Shutdown entry. And to delete that entry probably requires the laptop to be powered on but powering it down produces the Shutdown entry and to delete that entry probably requires the laptop to be powered on but powering it down produces the Shutdown entry and so on ad infinitum......

Perhaps if someone has the skills/knowledge to affect these powerup/down entries they would have other skills beyond my pay scale! And could do other undetectable things!

If you are really worried whether another (simple) user has powered up your laptop then my suggestion should allay your fears.