Zappo Posted March 22, 2013 Report Posted March 22, 2013 I am trying to detect and log active time on a computer. I have been trying to use VBScript, but keep running into dead ends with each method. If the user logs off the machine, I can use the modified date of their NTUSER.DAT file. However, most of the people in the office simple lock their computers and don't log off, so that method doesn't really work since even locked that file gets written to as other events occur. I tried detecting the screensaver process, which works, however when the monitors go into powersave mode, the screen saver is shut down. I tried detecting the status of the monitors, but I only get back that they are powered on. Even if I turn it off, the status doesn't seem to change. If the computer puts the monitor in standby, status still doesn't change even though I should be able to detect that also. Any other ideas?
Fudge_Brownie Posted March 22, 2013 Report Posted March 22, 2013 Why can't you log when they lock the computer?Or are they not locking their computer until the end of the day? If so, pretty sure you can change group policy to auto lock after X minutes. Push it, and call it a security messure. Log accordingly.Is your company trying to measure employee productivity?
Zappo Posted March 22, 2013 Author Report Posted March 22, 2013 Why can't you log when they lock the computer?Or are they not locking their computer until the end of the day? If so, pretty sure you can change group policy to auto lock after X minutes. Push it, and call it a security messure. Log accordingly.Is your company trying to measure employee productivity?Certain employees, yes.I am not trying to autolock, the employees lock the computer or log off. The log off I can detect easily enough, it is the unlock I need to detect. Those events are not logged on the server.
Fudge_Brownie Posted March 22, 2013 Report Posted March 22, 2013 This is big brother kind of stuff?Tip of the iceburg ;)
bdimag Posted March 22, 2013 Report Posted March 22, 2013 Certain employees, yes. I am not trying to autolock, the employees lock the computer or log off. The log off I can detect easily enough, it is the unlock I need to detect. Those events are not logged on the server. it's still a logon but it's using cached credentials -- it would be in the individual computer's log
Zappo Posted March 22, 2013 Author Report Posted March 22, 2013 Still need a way of detecting it.Is there a registry entry when it locks and unlocks?
bdimag Posted March 22, 2013 Report Posted March 22, 2013 are you trying to do something as it happens? i thought you just needed a way to know when it happened? in which case, what's wrong with the event viewer? is it an issue with getting to that information?
Zappo Posted March 22, 2013 Author Report Posted March 22, 2013 The Event Viewer doesn't log when a computer is locked or unlocked, so it is useless in this case.
bdimag Posted March 22, 2013 Report Posted March 22, 2013 windows 7(?):lock event ID is 4800, and the unlock is 4801http://technet.microsoft.com/en-us/library/dd772704(v=ws.10)xp:528: logon538: successful logon560: failed logoni may have 28 & 38 reversedand then under those, logon type 7 is lock/unlock
Fudge_Brownie Posted March 22, 2013 Report Posted March 22, 2013 Ha, I just came here to basically say what Brian said.Just tested it myself on an XP machine and it works. The Event "category" or text description reads Logon/Logoff but the properties have the numeric logon type. Though I'm only seeing a way to identify that the user unlocked, and not the event of locking. But I might be overlooking it, I don't do too much with policy or Windows admin.GPO Page for XP http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/518.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/515.mspx?mfr=trueAnd the difference between those two http://geekswithblogs.net/woodenshoe/archive/2005/08/30/51642.aspx
Zappo Posted March 22, 2013 Author Report Posted March 22, 2013 These audit events are being logged by default on any of the systems here. I turned them on for my machine to test and I am now getting the events. I am writing a script to query the event log now, so we shall see if I run into anymore problems.
Zappo Posted March 22, 2013 Author Report Posted March 22, 2013 Typical. I can read the Application log without a problem, but the Security log always returns empty. Every time I have a new method to solve my problem, something else goes wrong! I will keep digging into this.
Fudge_Brownie Posted March 22, 2013 Report Posted March 22, 2013 If VBScript isn't working out, you might have better luck with PowerShell. I've only used it a few times, but I'm pretty sure it's primary purpose in life was doing tasks like this.
bdimag Posted March 22, 2013 Report Posted March 22, 2013 is it a user security issue?... i just tried this and got results (I'm an admin on the machine)...Const CONVERT_TO_LOCAL_TIME = True Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") strComputer = "." Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!" & strComputer & "rootcimv2") Set colEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'Security' and EventCode = 538 and Message like '%Logon Type: 7%'") For each objEvent in colEvents Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo "Source Name: " & objEvent.SourceName Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type Wscript.Echo "User: " & objEvent.User Wscript.Echo objEvent.LogFile Next(copied and modified, ignore sloppiness)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.