How track IP modifications on Windows 2000/XP

Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

Thank you!
Who is Participating?
trywaredkConnect With a Mentor Commented:
Enable and Apply Security Auditing in Windows 2000;en-us;300549

HOWTO: Enabling Local Auditing Policies on Windows 2000;en-us;252412

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open
You could also run this vbScript in your logonscript (CALL %systemroot%\system32\wscript.exe YourVbScriptName.vbs)

Option Explicit
On Error Resume Next
      Dim wshNetwork, oLocator, oService, sSql, oEnum, Item, i, sGetIpAddress, sComputerName, fso, fh, sLogFile

      Set wshNetwork = wScript.CreateObject("WScript.Network")
      sComputerName = wshNetwork.ComputerName

      Set fso = CreateObject("Scripting.FileSystemObject")
      Set oLocator = WScript.CreateObject("WbemScripting.SWbemLocator")
      Set oService = oLocator.ConnectServer(sComputerName)

      sSql = "Select IPAddress from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE"

      On Error Resume Next
      Set oEnum = oService.ExecQuery(sSql)
      For Each Item in oEnum
            If Not IsNull(Item.IPAddress) Then
                  For i=LBound(Item.IPAddress) to UBound(Item.IPAddress)
                        sGetIpAddress = Item.IPAddress(i)
            End If

      sLogFile="\\YourServerName\YourShareName\" & sComputerName & "." & sGetIpAddress & ".log"
      On Error Resume Next
      Set fh = fso.OpenTextFile(sLogFile, 8, True,0)                        '8=appending
      fh.Write Now & " ---->   " & sGetIpAddress & vbCrLf

      Set wshNetwork = Nothing
      Set fso = Nothing
      Set fh = Nothing      
      Set oLocator = Nothing
      Set oService = Nothing
      Set oEnum = Nothing
istvan_kopeAuthor Commented:
If the security audit is not enabled there is no way other log which can tell that the IP was changed? Is there a service which is restarted when the IP is changed?
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.


... and a lot more - search after your own ip-address in registry
Rich RumbleSecurity SamuraiCommented:
Your DHCP server will log what machines have what, on any given day. You'd need to save it's log's pretty regularly, probably daily. That is if your dhcp program supports logging, most do. Instead of a big long VBscript, you could issue a call to a batch file that ran "ipconfig" ... and save that to a text file. And as mentioned, the registry will keep that info handy, however it won't keep previous IP's logged anywhere.
istvan_kopeAuthor Commented:
I don't want to know the IP address I just want to track if it was changed. So can you tell me which services are restarted when the IP is changed?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Usually all the services are restarted...because typically to get a different ip, you reboot, or you issue a "release" and "renew" command to obtain a new IP (this is done during each reboot btw). An easy way to track is with a text file with the ip in it, and compare that txt file to the one taken the day before...

Again, the DHCP server will log what ip's are with what computer (at the very least what MAC address has what IP)
No service "NEEDS" restarted if you change the ip in windows. In linux, the Network service needs restarted usually.

Your Question:
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

We've told you a few ways to track it. No it is not saved in the event log.
you could get a program that will notify you if an ip has changed:
You could script Netstat to scan your subnet...,24330,3348692,00.html
istvan_kopeAuthor Commented:
Can you tell me how can I enable the security audit from the domain server on every workstation?
Set the policy on the domain controller in the Organisational Unit, where the computers are

:o) Glad we could help you - thank you for the points

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.