Did you delete an email message in your Outlook Inbox and then empty the Deleted Items folder? Are you adamant an email was in your Inbox and now it is gone, and nothing exists in the Deleted Items folder?
Surprise, there is an easy way to check your activity in Windows. If you would like to entertain yourself with a little sleuthing through the Windows operating system, read ahead.
Your Windows PC contains a system that logs all sorts of internal error and popup messages, designed to help the user troubleshoot errors. It is right under the hood and can be accessed anytime to review. If your computer is running perfectly fine (are they ever?), then the need to look at this information is not warranted, however it is fun to view these items and see what Windows records about you. This system is known as the Windows Event Viewer.
If you have a copy of the MS Office Suite (Word, Excel, Powerpoint, etc.) installed on your machine, then a special log exists tied specifically to those applications. This is the “OAlerts.evtx” log and it can be examined using the Windows Event Viewer. Unlike many of the system log records, the OAlerts.evtx log leaves information behind that even the most novice computer user can understand.
To access the Windows Event Viewer, you can type in “event viewer” in the Windows search box in the lower-left portion of your desktop. The below graphics are from a Windows 10 system, but if you are still a user of Windows 7 operating system, the same will apply:
The Windows search will pop up options directly above in a box. Click on “Event Viewer App”:
Click on the Event Viewer icon and you will be presented with the Event Viewer interface. Expand the “Applications and Service Logs” menu by clicking on the “>” to the left:
Click on the “Microsoft Office Alerts” icon:
The Event Viewer interface will display, similar to the graphic above the title to this post. It may take a few seconds to populate the interface with log entries so wait a bit. Once it fills the top panel with entries, you can click on each row, or click on a single row and then use the up/down arrows to scroll through the entries.
If you are a regular user of MS Word, one recognizable event that is tracked is when a document is being drafted and the user decides to close Word suddenly by clicking on the X in the upper right panel. Word will notify the user the document has not been saved, asking “Want to save your changes to <Document Name>?”. This is seen in the below graphic:
This popup notification is recorded in OAlerts and stamped with the date & time, as seen in the next graphic:
See the following screenshot (same as the displayed at top of this post):
This example is consistent with a user emptying the Deleted Items folder within MS Outlook, which can be done by right-clicking on the Deleted Items folder and clicking on “Empty Deleted Items”. Windows wants to warn you of an impending action that will have consequences, recording that warning in the OAlerts.evtx log.
This is truly useful if you know you are suddenly missing something within your Outlook email system—check the Event Viewer’s Office Alerts and see what activity has occurred since you knew the item existed.
The Event Viewer logs can be very interesting to understand what exactly Windows is tracking in the background. Take a few minutes to open up the viewer and see what is happening under the hood with Microsoft Office. Just poking around and reading the logs will not harm your Windows system and you may learn a bit more about what information your usage is leaving behind.
Quoted in Computerworld, Laptop Magazine, Businessweek, and other print and online news outlets, David Stenhouse brings 20+ years of computer forensics experience working with law firms and corporate clients. He is currently President of DS Forensics, Inc..
A former Special Agent in the U. S. Secret Service and Trooper with the Washington State Patrol, he is now so blessed to spend each day running a business with his best friend, high school sweetheart, and wife, Shay.