I recently recovered my Windows 11 laptop after it was stolen, and I'm trying to figure out if the thief accessed any of my data. They gained admin access using the Utilman exploit, and a new local account called 'WsiAccount' was created while it was missing. Fortunately, everything else seems normal — no obvious missing files or changes. I've already checked the WiFi network history with WifiHistoryView and looked into Bluetooth logs and basic Event Viewer logs, but I haven't found anything useful yet.
I'm specifically looking for deeper logs that might help, ways to find out if files were accessed or copied, and information about that 'WsiAccount.' Also, I'm curious if there are any forensic tools (preferably free) to analyze this situation. Lastly, does Windows keep passive scan history for WiFi networks that were detected nearby? I'd like to avoid reinstalling Windows until I understand what happened.
Just to add some context, my house was invaded during this incident, and they took a lot of my belongings, so I really want to find out what I can.
4 Answers
Honestly, I think your best bet might be to consider reformatting the laptop and starting fresh. I know you’d like to avoid that, but if you’re worried about security, it might be the safest option.
However, if you're looking for clues first, tools like 'Remo Uncover' can help you see what files were accessed. Also, check the Jump Lists in your recent files for any activity while it was missing. At least you'll have a clearer picture of what was done on your system before resetting everything.
It sounds like a tough situation, but one thing you should check is the Event Viewer. Look for Event ID 4720 for account creation and possibly Event ID 4688 if process auditing was enabled. This might show you if anything suspicious was done while you were locked out.
As for that 'WsiAccount,' it's a legit Windows account, likely linked to the Microsoft Authenticator or temporary access processes. Definitely keep an eye there. For WiFi networks, you can check the WLAN-AutoConfig logs for successful connections and even some attempts to connect to nearby SSIDs, which might give you a clue about where your laptop was used.
Just a heads-up, if they connected to your WiFi, you might be able to see which networks they used, but that info alone won't help unless you know the locations.
And if you want to dive deeper, look into using USBDeview from NirSoft to see if any USB devices were connected while it was gone. You might find some useful info there, especially if they copied files off. Don't forget to take care of your emotional wellbeing after this, it's a lot to deal with.
While it’s important to understand what happened, you might want to consult a tech-savvy friend or local expert who can help you sift through the logs safely. As for passive WiFi scanning data, Windows doesn’t really store that kind of information, but checking the Event Viewer can still give you valuable insights.
I understand that, but I really want to see if I can gather any evidence first before taking such a drastic step.