prunesquallor
asked on
Detecting Windows Logon events in XP/Vista
I'me developing and application where I need to detect logons and then display something when somebody has actually logged on. Note that the customer has specified 'logon' as any time a user goes through a signon screen (thus a workstation unlock counts as a logon here).
This is going to be used in Vista in the future, so Winlogon Notification Packages seem to be out, as does the GINA approach.
My readings imply that I have two ways to go:
- Service Control Manager Notifications (which seem to provide lock/unlock/logoff/logon states)
- the System Events Notification Service (which provides ISensLogon methods for the four above, plus others such as StartShell and StopScreenSaver).
Has anybody used or played with the above, and can they give comments on which is the best way to go? Note that the application will have to be able to look across different logons, so I suspect it will end up as a service. On the other hand, I'm still at the thinking stage so nothing's cast in stone.
Any and all comments welcome!
John B
This is going to be used in Vista in the future, so Winlogon Notification Packages seem to be out, as does the GINA approach.
My readings imply that I have two ways to go:
- Service Control Manager Notifications (which seem to provide lock/unlock/logoff/logon states)
- the System Events Notification Service (which provides ISensLogon methods for the four above, plus others such as StartShell and StopScreenSaver).
Has anybody used or played with the above, and can they give comments on which is the best way to go? Note that the application will have to be able to look across different logons, so I suspect it will end up as a service. On the other hand, I'm still at the thinking stage so nothing's cast in stone.
Any and all comments welcome!
John B
Longshot here but what about turning on security logging for successful events. This would create an event in the event viewer for each successful logon/authentication.
No need to use a GINA here, take a look at "Winlogon Notification Packages": http://msdn.microsoft.com/en-us/library/aa380545.aspx
The pages linked from there will give you detailed information on how to handle the events described at http://msdn.microsoft.com/en-us/library/aa380544(VS.85).aspx ("Winlogon Notification Events")
On Vista, these are superseded by the System Event Notification Service (SENS) - see http://msdn.microsoft.com/en-us/library/aa376860.aspx ("ISensLogon Interface") for more on that.
The pages linked from there will give you detailed information on how to handle the events described at http://msdn.microsoft.com/en-us/library/aa380544(VS.85).aspx ("Winlogon Notification Events")
On Vista, these are superseded by the System Event Notification Service (SENS) - see http://msdn.microsoft.com/en-us/library/aa376860.aspx ("ISensLogon Interface") for more on that.
ASKER
Thanks for t comments. My immediate responses are:
- Is it easy to programmatically read the event log (especially in real time - the program has to respond to the logon event)?
- I believe the Winlogon Notification Packages won't work under Vista (nor will GINAs), which alas puts them out of play.
- What I was looking for was if anyone had tried SENS vs Service Control Manager Notifications, and could recommedn either approach. Or is SENS the 'official' way to go?
ATB and thanks,
John B
- Is it easy to programmatically read the event log (especially in real time - the program has to respond to the logon event)?
- I believe the Winlogon Notification Packages won't work under Vista (nor will GINAs), which alas puts them out of play.
- What I was looking for was if anyone had tried SENS vs Service Control Manager Notifications, and could recommedn either approach. Or is SENS the 'official' way to go?
ATB and thanks,
John B
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, reading the Event Log would mean "polling", which is something you usually want to really avoid.
I have done something similar in the past. Adding the lines bellow to the logon script of all users you wish to affect will create a text log file of the user name, computer to which they have logged on, date and time, and the IP from which they have connected. Then the second part sends a pop up message to "ComputerName" that "UserName" has logged in. In order for this the windows messaging service needs to be enabled. Please advise if you need more details.
:Logging
If Exist "\\ServerName\Logs\LogOns. Log" GoTo START
Echo Log File > "\\ServerName\Logs\LogOns. Log"
:START
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Logs\LogOns. Log"
Netstat -an |find "3389" |find /I "established" >> "\\ServerName\Logs\LogOns. Log"
:NOTIFY
Net Send ComputerName %username% logging on
:END
:Logging
If Exist "\\ServerName\Logs\LogOns.
Echo Log File > "\\ServerName\Logs\LogOns.
:START
Echo Log On: %USERNAME% %COMPUTERNAME% %Date:~0,12% %Time:~0,5% >> "\\ServerName\Logs\LogOns.
Netstat -an |find "3389" |find /I "established" >> "\\ServerName\Logs\LogOns.
:NOTIFY
Net Send ComputerName %username% logging on
:END
ASKER
Thanks!
ASKER
Thanks, all. Looks like I'll be reading the SENS stuff. Sorry for the delay in getting back (dead machine).
JB
JB