Solved

Tool to extract information from Windows XP User Profiles?

Posted on 2010-08-31
11
531 Views
Last Modified: 2012-06-22
Hello everyone, hoping you guys can help me out.  I work in the IT Department at my workplace - with the Desktop Support group.  Recently, one of the departments at my workplace has had issues with some of their employees going to websites they shouldn't be going to, such as online gaming, cell phone sites, etc. I have been tasked with weeding out this information from these "general use" PC's that are exhibiting the problem sites.  I have never done this and I'm having trouble finding information on the subject.

As an example of the type of information I'm looking for:  On one particular PC, I need to find out all the people who logged in on a particular night in between 12:00AM and 6:00AM.  I also need to find out what websites they visited while logged in.

Can anyone recommend some programs/tools to help me with this (hopefully free software)?  Any advice/suggestions are welcome and appreciated.  Thanks for your time.
0
Comment
Question by:JPerkins_MMH
11 Comments
 
LVL 3

Expert Comment

by:vladh
Comment Utility
0
 
LVL 5

Expert Comment

by:DanMar
Comment Utility
If you are using a proxy server e.g. Forefront/ISA etc. this will be logged on the server and either built in reporting or third party tools are available.  Do you know what proxy is in use?
0
 
LVL 3

Expert Comment

by:ngcmos
Comment Utility
well the brute force approach. go the the computer with a program called puppy linux  and go to the hard drive thats on the desktop and use this file path C:\Documents and Settings\user\Cookies. how ever if they are using a log in that is on a server domain then this method wont work
0
 

Author Comment

by:JPerkins_MMH
Comment Utility
DanMar:
We currently do not have a proxy.  Our network admin is working on it, but it's only in testing phase (and likely will be that way for a long, long time).

vladh:
Thanks for the link.  I'll check that out.
0
 

Author Comment

by:JPerkins_MMH
Comment Utility
ngcmos:
Yes, these computers are connected to my company's domain, and they are logging in with domain user accounts.  

vladh:
I checked the link, that doesn't really suit my current need.  I need to be able to check the logs of what they've already done.  I'm hoping that information is stored somewhere in their profiles local to each PC, and that there is a piece of software available (hopefully free) that will let me analyze that information for reporting to my superiors.
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 5

Expert Comment

by:DanMar
Comment Utility
WIthout a proxy not much is being logged outside the client PC.  I do suggest installing one.  There will be a few shareware/freeware ones out there.
To verify users & sites visited on the PCs you will need to check the event viewer on the machine & IE History.  Check security in Event Viewer and ensure history is enabled for previous x days e.g. 14 days in IE.  You could also click "view files" or check Temporary Internet folder and you will find the internet addresses visited.
This is not ideal for ongoing reporting.
0
 

Author Comment

by:JPerkins_MMH
Comment Utility
Well, this won't be an ongoing report.  I found out you can check web history through the .DAT files in each profile.  It's not much, but it does show some information.  

Can you recommend a free proxy program?  I'd like to be prepared in the future with something I can install to check what websites were visited more thoroughly.
0
 

Author Comment

by:JPerkins_MMH
Comment Utility
Also, I need to be able to tell who is logged into Windows when the websites are visited.  These are general use PC's, and can be used by anyone in the department.
0
 
LVL 5

Expert Comment

by:DanMar
Comment Utility
You can find who is logged in through the security section in the event viewer based on time & date.
I have had a look for free proxy server software and found this one:  CCPROXY here
http://www.youngzsoft.net/   Wouldn't be much work to set up.  If you need to look for more options I would go to popular shareware sites, google etc. & search for proxy server windows free etc. and compare ratings and ensuring that they are recent releases i.e. 2009-2010.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
Since there is no proxy, central logs will take a while to verify (but do-able), check out the suspected user machine browser history. Can check out IEHistoryView @ http://blogs.techrepublic.com.com/window-on-windows/?p=745

This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder.

Download @ http://www.nirsoft.net/utils/iehv.html

Also Pasco - A command line tool that runs on Unix or Windows and can reconstruct the internal structures for IE Index.dat files. Pasco accepts an Index.dat file, reconstructs the data, and outputs the information in a delimited text file format. The field
@ http://sourceforge.net/projects/odessa

Also verifying the event log on logon event will further confirm the user is login during the browsing event. See "Audit logon events" in article @ http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Other info
==============
Suggest that the proxy be implemented since you are going to enforce web surfing to specific sites. You can check out BlueCoat @ http://www.bluecoat.com/products/webfilter. The key is that proxy client setting has to be locked as well so that bypassing the setting cannot be done by user easily.

Bluecoat has a proxy client to enforce this policy as machine global setting independent of browser. Alternatively, if IE browser is the only uniform browser appl used in the organisation, windows client has in built policy via the GPO, see link
@ http://lpakb.stbernard.com/webhelp/ODS/EnterpriseWebFilter/SupportFiles/OD0070.htm
0
 

Author Comment

by:JPerkins_MMH
Comment Utility
Thanks so much for the info and links breadtan.  I'll check those out.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now