Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How track IP modifications on Windows 2000/XP

Posted on 2004-04-05
10
739 Views
Last Modified: 2013-12-04
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

Thank you!
0
Comment
Question by:istvan_kope
  • 5
  • 3
  • 2
10 Comments
 
LVL 12

Accepted Solution

by:
trywaredk earned 50 total points
ID: 10755776
Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549

HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10755885
You could also run this vbScript in your logonscript (CALL %systemroot%\system32\wscript.exe YourVbScriptName.vbs)


Option Explicit
On Error Resume Next
      Dim wshNetwork, oLocator, oService, sSql, oEnum, Item, i, sGetIpAddress, sComputerName, fso, fh, sLogFile

      Set wshNetwork = wScript.CreateObject("WScript.Network")
      sComputerName = wshNetwork.ComputerName

      Set fso = CreateObject("Scripting.FileSystemObject")
      Set oLocator = WScript.CreateObject("WbemScripting.SWbemLocator")
      Set oService = oLocator.ConnectServer(sComputerName)

      sSql = "Select IPAddress from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE"

      On Error Resume Next
      Set oEnum = oService.ExecQuery(sSql)
      For Each Item in oEnum
            If Not IsNull(Item.IPAddress) Then
                  For i=LBound(Item.IPAddress) to UBound(Item.IPAddress)
                        sGetIpAddress = Item.IPAddress(i)
                  Next
            End If
      Next

      sLogFile="\\YourServerName\YourShareName\" & sComputerName & "." & sGetIpAddress & ".log"
      
      On Error Resume Next
      Set fh = fso.OpenTextFile(sLogFile, 8, True,0)                        '8=appending
      fh.Write Now & " ---->   " & sGetIpAddress & vbCrLf
      fh.Close

      Set wshNetwork = Nothing
      Set fso = Nothing
      Set fh = Nothing      
      Set oLocator = Nothing
      Set oService = Nothing
      Set oEnum = Nothing
0
 

Author Comment

by:istvan_kope
ID: 10757436
If the security audit is not enabled there is no way other log which can tell that the IP was changed? Is there a service which is restarted when the IP is changed?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10758081
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{C5019ABF-2C77-40E0-B7E0-91A85C63A831}\Parameters\Tcpip]
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10758092
... and a lot more - search after your own ip-address in registry
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10759895
Your DHCP server will log what machines have what, on any given day. You'd need to save it's log's pretty regularly, probably daily. That is if your dhcp program supports logging, most do. Instead of a big long VBscript, you could issue a call to a batch file that ran "ipconfig" ... and save that to a text file. And as mentioned, the registry will keep that info handy, however it won't keep previous IP's logged anywhere.
-rich
0
 

Author Comment

by:istvan_kope
ID: 10763243
I don't want to know the IP address I just want to track if it was changed. So can you tell me which services are restarted when the IP is changed?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 10765255
Usually all the services are restarted...because typically to get a different ip, you reboot, or you issue a "release" and "renew" command to obtain a new IP (this is done during each reboot btw). An easy way to track is with a text file with the ip in it, and compare that txt file to the one taken the day before...

Again, the DHCP server will log what ip's are with what computer (at the very least what MAC address has what IP)
No service "NEEDS" restarted if you change the ip in windows. In linux, the Network service needs restarted usually.

Your Question:
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

We've told you a few ways to track it. No it is not saved in the event log.
you could get a program that will notify you if an ip has changed: http://www.barefootinc.com/ipmonitor.htm
You could script Netstat to scan your subnet... http://www.techtv.com/screensavers/windowstips/story/0,24330,3348692,00.html
-rich
0
 

Author Comment

by:istvan_kope
ID: 10772071
Can you tell me how can I enable the security audit from the domain server on every workstation?
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10828560
Set the policy on the domain controller in the Organisational Unit, where the computers are

:o) Glad we could help you - thank you for the points

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question