How to Check Activity on a Computer (2026) | PC Monitoring Software & Trackers
Why Checking Computer Activity Matters
Why bother checking computer activity at all? The reasons split into two camps, and the stakes look pretty different from each side.
If you’re checking your own machine, you’re usually trying to answer a specific question. Did someone use it while I was out? What did the kids actually get up to on the family laptop yesterday? Which file was I working on before the crash? Is something weird going on that might be malware? Built-in tools are usually fine for this.
The picture changes when you’re responsible for a fleet of devices. Now you’re juggling four overlapping problems:
- Productivity. Are people getting their work done, or stuck inside tools that don’t fit the job?
- Security. Is data slipping out the back door before anyone notices?
- Compliance. HIPAA, PCI-DSS, GDPR, SOC 2. They all want audit trails, and none of them are optional.
- Budget. Of all the SaaS licenses renewed last year, how many did anyone actually open? That’s where software license optimization starts to save real money.
Add hybrid and remote work, and manual checks fall apart fast. No manager has time to visit every desk pulling Event Viewer logs. This is the moment most organizations move to continuous, policy-driven user activity monitoring.
The principle that matters: monitor openly, monitor only what you need to, and have a written workplace monitoring policy that employees actually know about. Done well, monitoring quietly makes things run better. Done badly, it tanks morale and lands you in legal trouble.
The rest of this guide walks through every option, starting with the free built-in stuff and ending with the heavier tools.
How to Check Activity on a Windows Computer (Step-by-Step)
There isn’t one tool on Windows that captures everything, which is mildly annoying. What you reach for depends on the question. Was someone logged in last night? Event Viewer. What did they look at online? Browser history. Which files got touched? Recent Files. Here’s the order I’d work through them.
1. Event Viewer (the first stop)
Event Viewer is where Windows quietly logs everything that happens to the machine. Logins, sleep, wake, shutdowns, USB plug-ins. It’s all in there if you know where to look. First place I’d check if I thought someone used the computer without permission.
To see when the computer was actually used:
- Hit the Windows key, type Event Viewer, press Enter.
- In the left pane, expand Windows Logs and click System.
- On the right, click Filter Current Log.
- Under Event sources, tick Power-Troubleshooter and click OK.
- The middle pane now shows every power-up and wake-from-sleep.
If you see entries from times you weren’t there, something’s off.
To check who logged in:
- Event Viewer → Windows Logs → Security.
- Filter by Event ID 4624 (successful logon) or 4625 (failed).
- Each row gives you the username, timestamp, and login type.
A few catches with the built-in Windows logs:
- They tell you someone logged in, but not what they did afterward.
- The event codes are cryptic. You’ll be squinting.
- Only covers the one machine you’re on. No fleet view.
- Anyone with admin rights can clear the whole log.
For organizations that need centralized, tamper-resistant logon tracking, that gap is what dedicated employee monitoring software is for.
2. Monitor User Activity on Windows 10 and Windows 11
The built-in way to get detailed audit logging on Windows 10 or 11 is Group Policy.
- Press Windows + R, type gpedit.msc, press Enter.
- Navigate to Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy.
- Double-click Audit logon events, enable Success and Failure.
- Do the same for Audit object access if you want file-level tracking.
- From here on, the events appear in Event Viewer’s Security log.
Heads up: this generates a lot of data. Thousands of events per day on a busy machine. If you’re running more than a handful of devices, enPowerManager is the better option. It pulls logon and logoff data across your fleet without forcing you to configure GPO on every endpoint by hand.
And to monitor remote machines, the built-in stack stops working. Event Viewer needs local admin access, which doesn’t really exist for distributed teams. You’ll need an agent-based tool.
3. Recently Accessed Files
Windows keeps a hidden Recent folder with everything that’s been opened lately.
- Press Windows + R.
- Type recent and press Enter.
- Sort the window by Date Modified.
You can also poke around File Explorer → Quick Access for the same kind of thing.
The downsides are obvious:
- Anyone can right-click and Clear recent items list.
- Timestamps only show last-modified, not every access.
- On a shared computer, there’s no record of who actually opened the file.
4. Task Manager and Reliability Monitor
Task Manager (Ctrl + Shift + Esc) shows what’s running right now. CPU, memory, network, per-app usage. Great for spotting weird stuff in real time, useless for history.
Reliability Monitor is the one most people forget about. To open it: Windows key, type Reliability Monitor, hit Enter. You get a daily timeline of installs, crashes, warnings, system events, going back weeks. Click into any day for detail. It’s free, ships with Windows, and almost nobody uses it.
5. Where Windows Activity Logs Live
The logs themselves are .evtx files in C:\Windows\System32\winevt\Logs\. Each log type (System, Security, Application) is its own file. Non-admin users can’t touch them, but anyone with admin rights can clear them in seconds. That’s the whole reason business-grade trackers store logs on a server instead of the endpoint.
Why Built-In Windows Tools Fall Short for Businesses
Put all of the above together, and you still have holes:
- Private and incognito browsing isn’t logged anywhere.
- No idle time tracking. You can’t tell if someone is working or just has the screen on.
- No way to see across multiple devices in one place.
- Logs are local, and admins can clear them.
- No alerts. You only catch issues when you go hunting for them.
That’s the gap dedicated monitoring software exists to close. More on that further down.
How to Check Activity on a Laptop
Using a laptop activity tracker on a personal device, or rolling out laptop monitoring across the company? The methods are mostly the same as desktop. There are a few wrinkles specific to laptops though.
1. Event Viewer on Laptops
The Event Viewer steps from the Windows section work identically on Windows laptops. Power-Troubleshooter is what you want here. It captures lid opens, wake events, shutdowns. That’s your laptop activity history.
2. Battery and Power Reports
This one’s an underused trick. Laptops generate a battery report that doubles as a usage tracker.
- Open Command Prompt as administrator.
- Run powercfg /batteryreport /output "C:\battery-report.html".
- Open the HTML file in your browser.
You get a daily breakdown of when the laptop was actually in use, sleep and wake cycles, and battery drain. Useful if you want to verify whether a laptop was being used at a particular time.
3. Tracking Laptop Usage Across a Fleet
At more than a couple of laptops, manual checks stop working. Anything serious needs centralized data:
- BrowseReporter for web, app, and idle-time tracking
- AccessPatrol for USB and removable-device control (especially important on laptops because they go everywhere)
- BrowseControl for web filtering that follows the device
Why Laptop Monitoring Is Trickier than Desktop
Three things make laptops different:
- Off-network usage. People work on planes, in cafes, at home on personal Wi-Fi. Anything that relies on your router or DNS logs misses most of that.
- Sleep states. Laptops spend half their day in modern standby or sleep, which chops the activity record into pieces.
- Theft and loss. Whatever tool you pick should ideally support remote lock or location.
Agent-based tools that report back to a central server once the laptop is back online solve all three. That’s the backbone of any decent remote employee management software.
How to Check Activity on a Mac (macOS)
Mac is more limited than Windows for monitoring, but the basics are covered.
1. Login History
Open Terminal, type last, and hit Enter. You’ll see every login session with username and timestamp. To narrow it to one user: last yourusername.
Prefer a GUI? Open Console (Cmd + Space, type Console), search for loginwindow. That’ll show login, logout, screen lock, and unlock events.
2. Recent Files and Apps
- Apple menu → Recent Items: recent apps, documents, servers
- Finder → Go menu → Recent Folders: folders you’ve opened lately
- Each app’s File → Open Recent menu, for per-app history
3. App Usage via Screen Time
System Settings → Screen Time gives you daily and weekly app usage, notifications, and pickups. It’s the closest thing macOS has to a built-in activity tracker, though it’s clearly designed for consumers, not IT teams.
4. USB History on Mac
In Terminal:
log show --predicate 'eventMessage contains "USB"' --last 7d
Limitations on Mac
There’s no equivalent to Reliability Monitor, no built-in way to manage multiple Macs from one console, and Screen Time isn’t enterprise-grade. Most teams running a mix of Macs and PCs end up reaching for a third-party cross-platform tool, because the native options just don’t stretch that far.
How to Check Internet Browsing Activity
Web activity is usually the first thing people want to check, and also the easiest to hide.
Method 1: Browser History
| Browser | Shortcut | Notes |
|---|---|---|
| Chrome | Ctrl + H | Syncs across signed-in devices |
| Edge | Ctrl + H | Syncs with Microsoft account |
| Firefox | Ctrl + Shift + H | Library view with search |
| Safari | Cmd + Y | Syncs via iCloud |
| Brave | Ctrl + H | Local only (privacy by default) |
The big caveat: none of these capture incognito or private browsing.
Method 2: DNS Logs
Your router or DNS server logs every domain queried, including from incognito sessions. The DNS lookup happens before encryption kicks in, so it gets recorded regardless.
On most home routers:
- Log into the admin panel (usually 192.168.1.1 or 192.168.0.1).
- Find Logs, System Log, or Traffic Monitor.
- Look at DNS queries by IP. Each one maps to a device.
Method 3: Windows DNS Cache
Run this from Command Prompt:
ipconfig /displaydns
You get every domain that was resolved recently, including ones visited in private mode, right up until the cache gets flushed.
Method 4: Dedicated Web Monitoring (for Businesses)
For an organization, the practical answer is BrowseReporter. Unlike browser history, it:
- Logs every site, including private and incognito browsing
- Tracks bandwidth, so streaming and large downloads stand out
- Splits active from idle time per site
- Sorts everything into productive, unproductive, and neutral categories
- Works in Terminal Server and RDS environments
If you want enforcement on top of visibility, pair it with BrowseControl. That handles category blocking by department, schedule, or user group.
For more on web monitoring strategy, our guide on internet usage policy creation goes deeper.
How to Check Application Usage
Knowing what apps are running, and for how long, answers questions browser history can’t:
- Is the software you’re paying for actually being used?
- Are people spending the day in approved tools, or in distractions?
- Is unauthorized software being installed under the radar?
Built-In Methods
Windows:
- Task Manager (Ctrl + Shift + Esc), real-time only
- Settings → Privacy → App History, coarse weekly summary, Microsoft Store apps only
- Reliability Monitor, for crashes and installs
Mac:
- Activity Monitor, for real-time CPU and memory
- Screen Time, daily and weekly app usage, per device
What the Built-Ins Don’t Do
- No fleet-wide view
- No active vs. idle split
- No long-term trend data
- No productive/unproductive categorization
- No alerts
What I’d Actually Recommend
For ongoing application monitoring, BrowseReporter tracks every Windows application by name, version, and active duration. The patterns it surfaces tend to land in three buckets:
- Software you can stop paying for. Licenses you bought, nobody opens.
- Productivity bottlenecks. Apps where people spend hours, with very little output.
- Shadow IT. Software that got installed without going through procurement.
That’s the foundation of effective productivity monitoring: measuring tool usage directly, not asking people to self-report.
How to Check USB Device & File Transfer Activity
USB is the most overlooked vector for data loss, and after the fact, it’s also the hardest to reconstruct.
Method 1: Event Viewer for USB
- Open Event Viewer.
- Go to Applications and Services Logs → Microsoft → Windows → DriverFrameworks-UserMode → Operational.
- Look for Event IDs 2003, 2010, 2100, 2105. Those are the USB connect/disconnect events.
Method 2: Registry (Forensic)
Every USB device ever plugged into a Windows machine leaves a fingerprint at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Manufacturer, serial number, device IDs, all of it. Useful for forensics, but nobody is going to crawl through this daily.
Method 3: AccessPatrol (Real Control)
For organizations, manually checking Event Viewer on every device isn’t really a plan. AccessPatrol, our data loss prevention tool, gives you:
- Activity dashboards. Aggregate and granular file transfer data.
- File operations history. Every file copied, modified, created, or deleted to a USB.
- Device restrictions. Block unauthorized devices entirely, or whitelist only approved hardware.
- Real-time email alerts. Get pinged the moment a blocked device gets plugged in.
- Devices accessed reports. Full history of every USB drive on every endpoint.
Combined with insider threat detection workflows, AccessPatrol turns USB monitoring from a post-incident forensics exercise into actual prevention.
Why USB Matters More Now
The average cost of an insider-driven data breach has climbed past $16M (IBM Cost of a Data Breach Report). Even small businesses can’t shrug off unmonitored USB ports anymore. A single departing employee with a thumb drive can walk out with years of customer data in a few seconds.
Best Personal Computer Monitoring Software in 2026
Built-in tools answer “did something happen?” Dedicated monitoring software answers “what happened, when, by whom, and is it actually a problem?” Here’s how the major options stack up for the most common 2026 use cases.
Best Overall PC Activity Tracker: BrowseReporter
BrowseReporter is what we build for organizations that need full activity visibility. It’s the CurrentWare module our productivity-tracking customers use most.
What it does:
- Web tracking. Every site visited, including private browsing.
- Application monitoring. Usage time, frequency, productivity grading.
- Active vs. idle time. Real work, separated from screen-on time.
- Trend analysis. Week-over-week productivity reports.
- Centralized dashboards. Every endpoint, one console.
- Remote-friendly. Works on Terminal Server, RDS, and remote employees.
- Tamper-resistant logs. Stored on the CurrentWare server, not the endpoint.
Best for USB and Data Loss Prevention: AccessPatrol
AccessPatrol is the data-exfiltration side of the suite. USB device control, file transfer logs, and real-time alerts when someone tries to use a blocked device.
Best for Web Filtering: BrowseControl
BrowseControl goes past monitoring into enforcement. Block website categories, restrict app launches, and apply different policies to different departments or shifts.
Best for Logon/Logoff Tracking: enPowerManager
enPowerManager handles computer time monitoring and power management. The big use case is fleet-wide logon and logoff reporting: “who used this computer, and when,” across hundreds of devices.
Why Businesses Pick CurrentWare Over Alternatives
For a single home PC, manual is fine. For an organization, the math falls apart fast.
| Capability | Manual Methods | CurrentWare Suite |
|---|---|---|
| Time to investigate one incident | Hours per device | Minutes across all devices |
| Coverage of private browsing | None | Complete |
| Idle vs. active time | Not tracked | Per-app, per-user |
| Tamper resistance | Users can clear logs | Centralized, locked |
| Multi-device scaling | Linear effort | Constant effort |
| Real-time alerts | None | Email and dashboard |
For straight comparisons against other platforms, see our breakdowns of ActivTrak alternatives, Teramind alternatives, and Insightful alternatives.
What to Look for in a Computer Activity Tracker
Whatever you end up choosing, CurrentWare or otherwise, the trackers worth your time share these qualities:
- Active vs. idle time accuracy. Without it, productivity reports are meaningless.
- Private browsing visibility. If incognito is a blind spot, it isn’t enterprise-grade.
- Centralized data storage. Logs on the endpoint mean logs the user can clear.
- Categorization. Productive/unproductive/neutral classifications save your analysts hours.
- Real-time alerting. Proactive beats reactive, every time.
- Multi-platform support. Windows, Mac, Terminal Server.
- Compliance-grade audit trails. HIPAA, PCI-DSS, SOC 2, GDPR.
BrowseReporter: Personal Computer Monitoring Software That Fits
- Track apps, websites, and USB activity across your fleet
- Monitor remote and hybrid employees without invasive surveillance
- Spot productivity gaps with categorized reporting
- 14-day free trial, no credit card required
Personal Use vs. Business Use
Which method is “right” depends entirely on context.
Personal Use
Built-in tools are usually enough when you’re:
- Checking your own usage
- Verifying occasional use of a shared family computer
- Investigating a one-off suspicion of unauthorized access
- Recovering recent file paths after a crash
For all of those, Event Viewer, browser history, and Recent Files cover most of what you need.
Employers and Businesses
Organizations need something fundamentally different:
- Continuous monitoring, not occasional spot checks
- Multi-device coverage (laptops, desktops, RDS, remote employees)
- Tamper resistance, so users can’t clear the logs
- Categorization (productive, unproductive, neutral)
- Alerts (proactive, not reactive)
- Compliance (audit trails for HIPAA, PCI-DSS, SOC 2)
Most organizations end up running multiple tools:
- BrowseReporter for web and app monitoring
- BrowseControl for web filtering and content control
- AccessPatrol for USB and removable media
- enPowerManager for power management and logon/logoff tracking
For distributed teams, the whole stack tends to be deployed as a remote employee management solution, covering on-prem, hybrid, and fully remote workforces from one console.
Legal Considerations (US, UK, Canada, EU)
Computer monitoring is generally legal in most places, as long as you go about it the right way. Specifics depend on where your employees are.
Universal Best Practices
- Tell employees. Written notice, ideally baked into the employment contract.
- Have an Acceptable Use Policy. Spell out what’s monitored, why, and how the data gets used.
- Stay in scope. Monitor business activity, not personal communications, where you can avoid it.
- Lock down the data. Monitoring logs are sensitive. Protect them like any other PII.
- Be proportionate. Don’t collect more than the business interest actually justifies.
By Region
United States:
- ECPA (federal) generally allows monitoring with consent or a business-purpose justification.
- A handful of states (Connecticut, Delaware, New York) require written notice.
- California layers CCPA and CPRA on top.
United Kingdom:
- UK GDPR plus the Data Protection Act 2018.
- Systematic monitoring needs a Data Protection Impact Assessment (DPIA).
Canada:
- PIPEDA federally. Ontario’s Working for Workers Act requires written electronic monitoring policies for any employer with 25+ workers.
- Quebec’s Law 25 adds explicit consent on top.
European Union:
- GDPR applies. Monitoring is processing of personal data.
- Article 88 and national labor laws add employee-specific protections.
- Works councils often have to be consulted before you deploy anything.
For more detail, see our employee monitoring laws guide and our workplace monitoring policy template.
Best Practices for Rolling Out Computer Monitoring
Moving from spot checks to dedicated monitoring software? Here’s the sequence I’d follow:
- Define the “why” first. Productivity? Security? Compliance? Each one points to different tools and different metrics.
- Write the policy before deploying the tool. Employees should hear about monitoring from HR, not from a Slack message after the fact. Our workplace monitoring policy template is a starting point.
- Tell people what’s happening. What’s monitored, what isn’t, what the data gets used for.
- Start with visibility, not enforcement. Run for 30 days in observation mode before applying any restrictions.
- Protect the data. Monitoring logs are sensitive. Restrict access, encrypt at rest, define retention periods.
- Review regularly. Categorization monthly, alerts weekly.
- Measure outcomes, not activity. The goal isn’t more data, it’s better decisions.
- Respect proportionality. Don’t screen-record every keystroke when usage time per app would answer the same question.
- Train managers on the data. Without context, dashboards mislead more than they inform.
- Iterate. Policies should evolve. Quarterly reviews catch drift before it becomes a problem.
Conclusion
There are a lot of ways to check activity on a computer. The right one depends on whether you’re investigating your own machine, looking into a suspicion, or running monitoring across hundreds of endpoints.
- Built-in tools (Event Viewer, Windows activity logs, browser history, Recent Files) are free, but they’re limited, manual, and easy to clear.
- Dedicated monitoring software like BrowseReporter and AccessPatrol gives you continuous, centralized, tamper-resistant tracking, and it’s built to scale.
For hybrid and remote organizations, the question isn’t really whether to use a computer activity tracker. It’s how to do it transparently, proportionately, and within the law. Get the policy and the tools right, and monitoring stops feeling like a surveillance concern. It becomes a productivity and security advantage.
Start your 14-day free trial of BrowseReporter. No credit card needed.
Frequently Asked Questions:
Honestly, depends on what you’re trying to do. For full web and application tracking, BrowseReporter is the strongest option, especially on active-vs-idle accuracy and remote work coverage. For USB and data loss prevention, AccessPatrol is purpose-built. For web filtering and content blocking, BrowseControl handles enforcement. Most organizations end up with the whole CurrentWare suite because the four products map cleanly onto the four needs.
The practical way is software like CurrentWare. A lightweight agent installs on each device and reports back to a central dashboard, so admins see web activity, app usage, idle time, and USB events on every endpoint without physically touching the machines. Built-in tools like Event Viewer need local access, and they don’t aggregate across devices, so they don’t really work for remote setups.
With native tools, you enable audit logging through Group Policy. Run gpedit.msc, go to Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy, and turn on “Audit logon events” and “Audit object access”. The events then show up in the Security log in Event Viewer. For continuous monitoring across multiple machines, you’ll need BrowseReporter, which adds web, application, and idle-time tracking that the built-in Windows tools don’t cover.
No, despite the name. Incognito only stops the browser from saving local history. DNS queries, network logs, and monitoring software all still see what’s happening. Tools like BrowseReporter capture web activity at the system level, so private mode isn’t actually private to the monitoring system.
As .evtx files in C:\Windows\System32\winevt\Logs\. The three main ones are System.evtx (system events), Security.evtx (logons and audit events), and Application.evtx (app crashes and warnings). You can read them through Event Viewer or with PowerShell’s Get-WinEvent. The catch: any user with admin rights can clear them. That’s exactly why business-grade trackers keep their logs on a centralized server instead.
Yes. Browser history, Recent Files, and Windows activity logs can all be cleared by anyone with the right permissions. That’s the main reason dedicated monitoring tools store their data on a central server instead of on the endpoint. Wipe the local browser history all you want, the server-side record stays put.
In the US, UK, Canada, and EU, yes, provided you go about it transparently. The usual requirements are written notice, a defined acceptable use policy, and scope that’s proportionate to the business interest. A handful of jurisdictions (Ontario, Connecticut, Delaware, New York) require explicit written policies on top of that.
Dedicated DLP tools like AccessPatrol track USB end-to-end: every device plugged in, every file copied or transferred, every blocked-device attempt. Windows Event Viewer can show basic connect and disconnect events, but it won’t track file operations and it won’t alert you to anything.
They use remote monitoring software like CurrentWare, which installs an agent on each work device and reports back over the internet. The agent typically tracks application usage, web activity, idle time, and USB events. Best practice is to disclose all of it transparently in the employment contract, and to limit monitoring to work hours and work-owned devices.
BrowseReporter tends to be the most common pick. Its agent reports back over the internet, so it doesn’t matter if the laptop is on the corporate network, at home, or sitting in an airport. You get web activity, application usage, idle time, and bandwidth across every laptop from a single console.
Software that records what happens on a computer: apps launched, websites visited, files accessed, USB devices plugged in, idle time. Trackers run the range from simple consumer tools like Apple’s Screen Time up to enterprise platforms like BrowseReporter, which aggregate data across hundreds of endpoints into one dashboard.
A reasonable sequence: (1) figure out the goal, whether that’s productivity, security, compliance, or all three; (2) write a workplace monitoring policy; (3) tell employees what’s coming; (4) run a free trial of BrowseReporter in observation mode for 30 days; (5) review the data with managers; (6) tune alerts and policies based on what you saw; (7) review quarterly and adjust.
Most modern ones are built to be lightweight, typically under 1% CPU and under 50MB of memory in normal operation. Older tools or poorly written ones can be noticeable, but well-engineered enterprise software is basically invisible to end users.
On Windows: open Event Viewer → Windows Logs → System, filter by Power-Troubleshooter. You’ll see every power-up and wake-from-sleep. Cross-check Security logs and Event ID 4624 for actual logons. On Mac: open Terminal, type last, and you’ll get every recent login session. Entries from times you weren’t there are a clear sign someone else was on the machine.
People use the two interchangeably, but technically a logger focuses on recording events (logons, app launches, file access) for forensic review after the fact, while a tracker adds real-time analysis: categorizing activity, alerting on anomalies, producing trend reports. Most modern tools do both.
Author
Rony Joseph
Head of Development, CurrentWare
Rony Joseph is the Head of Development at CurrentWare, bringing over 11 years of experience in cybersecurity, endpoint protection, and employee monitoring. He leads the development of solutions that help organizations protect sensitive data, improve productivity, and meet regulatory compliance requirements. With deep expertise in cybersecurity and technical leadership, Rony plays a pivotal role in driving innovation that supports secure and efficient digital workplaces.
