Tracking illicit computer use? XP Home
#1
Scooby Regular
Thread Starter
Join Date: Oct 2000
Location: same time, different place
Posts: 11,313
Likes: 0
Received 4 Likes
on
2 Posts
I changed the password on someone else's user login on my PC, to stop them using it. I found out last night that they were using it while I was away without any password.
My first thoughts are that they got my (admin) password, deleted their own, and could thus get into their account. We've just moved house, and when he switched on while I wasn't there, apparently his password lock had mysteriously disappeared, freeing up his account, while two others were still there. Funny, that.
I'd like to examine previous use of the machine for each user, but am not sure how. Firstly I'm no security expert, and secondly the machine is at home without internet while I type this at work 10 miles away (on a non-XP machine), so please bear with me!
Last night I right-clicked on My Computer, got Manage, and looked at ?Event Log. When I look at the event log for my login, it shows a lot of activity at times when I know I wasn't there, and the event log on his login shows activity when he shouldn't have been using it. But it's not clear if it shows activity on each login, that proves it was being used, or if for instance I have Norton AV on the machine and, because the machine was being used by one user, Norton ran and therefore logged as an event on all users, ie it doesn't really prove anything about individual illicit user activity.
I see also there are Event Codes? Can I get a table of these which tell me which action was being taken? Is this a good idea?
Any other hints gratefully received, but pref. Windows-based, I'm useless with dos hacking.
Many thanks in advance
Brendan
My first thoughts are that they got my (admin) password, deleted their own, and could thus get into their account. We've just moved house, and when he switched on while I wasn't there, apparently his password lock had mysteriously disappeared, freeing up his account, while two others were still there. Funny, that.
I'd like to examine previous use of the machine for each user, but am not sure how. Firstly I'm no security expert, and secondly the machine is at home without internet while I type this at work 10 miles away (on a non-XP machine), so please bear with me!
Last night I right-clicked on My Computer, got Manage, and looked at ?Event Log. When I look at the event log for my login, it shows a lot of activity at times when I know I wasn't there, and the event log on his login shows activity when he shouldn't have been using it. But it's not clear if it shows activity on each login, that proves it was being used, or if for instance I have Norton AV on the machine and, because the machine was being used by one user, Norton ran and therefore logged as an event on all users, ie it doesn't really prove anything about individual illicit user activity.
I see also there are Event Codes? Can I get a table of these which tell me which action was being taken? Is this a good idea?
Any other hints gratefully received, but pref. Windows-based, I'm useless with dos hacking.
Many thanks in advance
Brendan
#5
Scooby Regular
Thread Starter
Join Date: Oct 2000
Location: same time, different place
Posts: 11,313
Likes: 0
Received 4 Likes
on
2 Posts
Seriously, please.
Jye, I don't like to say it as it sounds like I'm being a killjoy parent, but it's my PC and it's my teenage son who has been logged off it for various disciplinary reasons (my wife has the other user ID). Sorry if this caginess resulted in confusion.
I've pretty much accused him last night of doing this, which he denies emphatically, so I told him that I would try to find out the truth today and either fully apologise or punish him this evening.
Keystroke monitors etc pointless as this is in the past.
Am I right to look at the Event log, and if so, how do I interpret it more clearly?
Thanks again
Brendan
Jye, I don't like to say it as it sounds like I'm being a killjoy parent, but it's my PC and it's my teenage son who has been logged off it for various disciplinary reasons (my wife has the other user ID). Sorry if this caginess resulted in confusion.
I've pretty much accused him last night of doing this, which he denies emphatically, so I told him that I would try to find out the truth today and either fully apologise or punish him this evening.
Keystroke monitors etc pointless as this is in the past.
Am I right to look at the Event log, and if so, how do I interpret it more clearly?
Thanks again
Brendan
#6
Scooby Regular
Join Date: Oct 2002
Location: N.Ireland
Posts: 742
Likes: 0
Received 0 Likes
on
0 Posts
Open eventlog go to the security log if you have been auditing logon/off then you will have these events to look at. YOu have to turn auditing on in the local security policy to be able to have something to look at. Click view and filter then you will be able to enter a search criteria to search for specific events, dates, priviledge use etc.
Change your password for something hard to guess, upper and lower characters alpha numeric etc.
Change your password for something hard to guess, upper and lower characters alpha numeric etc.
#7
Scooby Regular
Join Date: Mar 1999
Location: Dumbartonshire
Posts: 5,896
Likes: 0
Received 0 Likes
on
0 Posts
--Jye, I don't like to say it as it sounds like I'm being a killjoy parent, but it's my PC and it's my teenage son who has been logged off it for various disciplinary reasons (my wife has the other user ID). Sorry if this caginess resulted in confusion.--
NP, sounds very reasonable m8. I think the answer above should tell you all you need to know.
NP, sounds very reasonable m8. I think the answer above should tell you all you need to know.
Trending Topics
#8
Scooby Regular
Thread Starter
Join Date: Oct 2000
Location: same time, different place
Posts: 11,313
Likes: 0
Received 4 Likes
on
2 Posts
Thanks for that. I can't question much more as I don't have the PC here, but do I get the impression that I should have clearly switched on some sort of monitor/audit process, in order to have records to look at? Because I didn't. I can only look at what was there already. There seem to be plenty of events logged, I just can't make much sense of them. Frankly, definitive proof of my login being used while I'm at work is almost good enough, though a clear activity trail would be interesting.
My password is very simple and he knows it, it's just to stop casual abuse. His mate is a computer whizz and has already offered a program to hack my password - my son wisely refused as he knew it would get him into a whole load more trouble if I found out.
Aside from the enquiries above, I'll probably be back tomorrow with more questions...
Cheers
Brendan
My password is very simple and he knows it, it's just to stop casual abuse. His mate is a computer whizz and has already offered a program to hack my password - my son wisely refused as he knew it would get him into a whole load more trouble if I found out.
Aside from the enquiries above, I'll probably be back tomorrow with more questions...
Cheers
Brendan
#9
If its XP pro he could have set up a user account that you cant see
start/Administrative tools/computer management/local users and groups/users
Look in there - it stores all the logins but you dont neccesarily see them in Users in control panel.
Change Admin password and remove anything "dodgy" sounding.
Might want to reset "guest" password as well
Jza
start/Administrative tools/computer management/local users and groups/users
Look in there - it stores all the logins but you dont neccesarily see them in Users in control panel.
Change Admin password and remove anything "dodgy" sounding.
Might want to reset "guest" password as well
Jza
#10
Scooby Regular
Thread Starter
Join Date: Oct 2000
Location: same time, different place
Posts: 11,313
Likes: 0
Received 4 Likes
on
2 Posts
Jza - thanks, but waaaaay too advanced for him (and it's home, not pro)... Mum walked past and saw his CounterStrike wallpaper, so nothing so complicated.
It's a real shame, as I was about to lift the ban, he's just about complied (minimum humanly possible) with what I asked him to do.
It's a real shame, as I was about to lift the ban, he's just about complied (minimum humanly possible) with what I asked him to do.
#11
Scooby Regular
Join Date: Jun 2002
Location: Switzerland
Posts: 643
Likes: 0
Received 0 Likes
on
0 Posts
Do you leave it running whilst your at work? If you look in the event log it will also have start up and shut down times. Not very conclusive as he could just have turned it on but my guess would be that if this happened then its for a reason
#13
another vote for 007 here, it really is VERY good and completely and utterly invisible if you install it correctly.
It will record EVERY button pressed from xp logon onwards and take screenshots at whatever interval you choose, will even email you the html log file at regular intervals totally behind the scenes, not listed in task manager etc.
It will record EVERY button pressed from xp logon onwards and take screenshots at whatever interval you choose, will even email you the html log file at regular intervals totally behind the scenes, not listed in task manager etc.
#18
Scooby Regular
Join Date: May 2002
Location: Liverpool
Posts: 3,229
Likes: 0
Received 0 Likes
on
0 Posts
Thread
Thread Starter
Forum
Replies
Last Post
Sam Witwicky
Engine Management and ECU Remapping
17
13 November 2015 10:49 AM