?
Solved

How track IP modifications on Windows 2000/XP

Posted on 2004-04-05
10
Medium Priority
?
783 Views
Last Modified: 2013-12-04
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

Thank you!
0
Comment
Question by:istvan_kope
  • 5
  • 3
  • 2
10 Comments
 
LVL 12

Accepted Solution

by:
trywaredk earned 150 total points
ID: 10755776
Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549

HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10755885
You could also run this vbScript in your logonscript (CALL %systemroot%\system32\wscript.exe YourVbScriptName.vbs)


Option Explicit
On Error Resume Next
      Dim wshNetwork, oLocator, oService, sSql, oEnum, Item, i, sGetIpAddress, sComputerName, fso, fh, sLogFile

      Set wshNetwork = wScript.CreateObject("WScript.Network")
      sComputerName = wshNetwork.ComputerName

      Set fso = CreateObject("Scripting.FileSystemObject")
      Set oLocator = WScript.CreateObject("WbemScripting.SWbemLocator")
      Set oService = oLocator.ConnectServer(sComputerName)

      sSql = "Select IPAddress from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE"

      On Error Resume Next
      Set oEnum = oService.ExecQuery(sSql)
      For Each Item in oEnum
            If Not IsNull(Item.IPAddress) Then
                  For i=LBound(Item.IPAddress) to UBound(Item.IPAddress)
                        sGetIpAddress = Item.IPAddress(i)
                  Next
            End If
      Next

      sLogFile="\\YourServerName\YourShareName\" & sComputerName & "." & sGetIpAddress & ".log"
      
      On Error Resume Next
      Set fh = fso.OpenTextFile(sLogFile, 8, True,0)                        '8=appending
      fh.Write Now & " ---->   " & sGetIpAddress & vbCrLf
      fh.Close

      Set wshNetwork = Nothing
      Set fso = Nothing
      Set fh = Nothing      
      Set oLocator = Nothing
      Set oService = Nothing
      Set oEnum = Nothing
0
 

Author Comment

by:istvan_kope
ID: 10757436
If the security audit is not enabled there is no way other log which can tell that the IP was changed? Is there a service which is restarted when the IP is changed?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 12

Expert Comment

by:trywaredk
ID: 10758081
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{C5019ABF-2C77-40E0-B7E0-91A85C63A831}\Parameters\Tcpip]
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10758092
... and a lot more - search after your own ip-address in registry
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10759895
Your DHCP server will log what machines have what, on any given day. You'd need to save it's log's pretty regularly, probably daily. That is if your dhcp program supports logging, most do. Instead of a big long VBscript, you could issue a call to a batch file that ran "ipconfig" ... and save that to a text file. And as mentioned, the registry will keep that info handy, however it won't keep previous IP's logged anywhere.
-rich
0
 

Author Comment

by:istvan_kope
ID: 10763243
I don't want to know the IP address I just want to track if it was changed. So can you tell me which services are restarted when the IP is changed?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 10765255
Usually all the services are restarted...because typically to get a different ip, you reboot, or you issue a "release" and "renew" command to obtain a new IP (this is done during each reboot btw). An easy way to track is with a text file with the ip in it, and compare that txt file to the one taken the day before...

Again, the DHCP server will log what ip's are with what computer (at the very least what MAC address has what IP)
No service "NEEDS" restarted if you change the ip in windows. In linux, the Network service needs restarted usually.

Your Question:
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

We've told you a few ways to track it. No it is not saved in the event log.
you could get a program that will notify you if an ip has changed: http://www.barefootinc.com/ipmonitor.htm
You could script Netstat to scan your subnet... http://www.techtv.com/screensavers/windowstips/story/0,24330,3348692,00.html
-rich
0
 

Author Comment

by:istvan_kope
ID: 10772071
Can you tell me how can I enable the security audit from the domain server on every workstation?
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10828560
Set the policy on the domain controller in the Organisational Unit, where the computers are

:o) Glad we could help you - thank you for the points

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question