Solved

Tool to extract information from Windows XP User Profiles?

Posted on 2010-08-31
11
534 Views
Last Modified: 2012-06-22
Hello everyone, hoping you guys can help me out.  I work in the IT Department at my workplace - with the Desktop Support group.  Recently, one of the departments at my workplace has had issues with some of their employees going to websites they shouldn't be going to, such as online gaming, cell phone sites, etc. I have been tasked with weeding out this information from these "general use" PC's that are exhibiting the problem sites.  I have never done this and I'm having trouble finding information on the subject.

As an example of the type of information I'm looking for:  On one particular PC, I need to find out all the people who logged in on a particular night in between 12:00AM and 6:00AM.  I also need to find out what websites they visited while logged in.

Can anyone recommend some programs/tools to help me with this (hopefully free software)?  Any advice/suggestions are welcome and appreciated.  Thanks for your time.
0
Comment
Question by:JPerkins_MMH
11 Comments
 
LVL 3

Expert Comment

by:vladh
ID: 33566807
0
 
LVL 5

Expert Comment

by:DanMar
ID: 33567195
If you are using a proxy server e.g. Forefront/ISA etc. this will be logged on the server and either built in reporting or third party tools are available.  Do you know what proxy is in use?
0
 
LVL 3

Expert Comment

by:ngcmos
ID: 33567380
well the brute force approach. go the the computer with a program called puppy linux  and go to the hard drive thats on the desktop and use this file path C:\Documents and Settings\user\Cookies. how ever if they are using a log in that is on a server domain then this method wont work
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:JPerkins_MMH
ID: 33567386
DanMar:
We currently do not have a proxy.  Our network admin is working on it, but it's only in testing phase (and likely will be that way for a long, long time).

vladh:
Thanks for the link.  I'll check that out.
0
 

Author Comment

by:JPerkins_MMH
ID: 33567459
ngcmos:
Yes, these computers are connected to my company's domain, and they are logging in with domain user accounts.  

vladh:
I checked the link, that doesn't really suit my current need.  I need to be able to check the logs of what they've already done.  I'm hoping that information is stored somewhere in their profiles local to each PC, and that there is a piece of software available (hopefully free) that will let me analyze that information for reporting to my superiors.
0
 
LVL 5

Expert Comment

by:DanMar
ID: 33567822
WIthout a proxy not much is being logged outside the client PC.  I do suggest installing one.  There will be a few shareware/freeware ones out there.
To verify users & sites visited on the PCs you will need to check the event viewer on the machine & IE History.  Check security in Event Viewer and ensure history is enabled for previous x days e.g. 14 days in IE.  You could also click "view files" or check Temporary Internet folder and you will find the internet addresses visited.
This is not ideal for ongoing reporting.
0
 

Author Comment

by:JPerkins_MMH
ID: 33569096
Well, this won't be an ongoing report.  I found out you can check web history through the .DAT files in each profile.  It's not much, but it does show some information.  

Can you recommend a free proxy program?  I'd like to be prepared in the future with something I can install to check what websites were visited more thoroughly.
0
 

Author Comment

by:JPerkins_MMH
ID: 33569138
Also, I need to be able to tell who is logged into Windows when the websites are visited.  These are general use PC's, and can be used by anyone in the department.
0
 
LVL 5

Expert Comment

by:DanMar
ID: 33574687
You can find who is logged in through the security section in the event viewer based on time & date.
I have had a look for free proxy server software and found this one:  CCPROXY here
http://www.youngzsoft.net/   Wouldn't be much work to set up.  If you need to look for more options I would go to popular shareware sites, google etc. & search for proxy server windows free etc. and compare ratings and ensuring that they are recent releases i.e. 2009-2010.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 33598708
Since there is no proxy, central logs will take a while to verify (but do-able), check out the suspected user machine browser history. Can check out IEHistoryView @ http://blogs.techrepublic.com.com/window-on-windows/?p=745

This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder.

Download @ http://www.nirsoft.net/utils/iehv.html

Also Pasco - A command line tool that runs on Unix or Windows and can reconstruct the internal structures for IE Index.dat files. Pasco accepts an Index.dat file, reconstructs the data, and outputs the information in a delimited text file format. The field
@ http://sourceforge.net/projects/odessa

Also verifying the event log on logon event will further confirm the user is login during the browsing event. See "Audit logon events" in article @ http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Other info
==============
Suggest that the proxy be implemented since you are going to enforce web surfing to specific sites. You can check out BlueCoat @ http://www.bluecoat.com/products/webfilter. The key is that proxy client setting has to be locked as well so that bypassing the setting cannot be done by user easily.

Bluecoat has a proxy client to enforce this policy as machine global setting independent of browser. Alternatively, if IE browser is the only uniform browser appl used in the organisation, windows client has in built policy via the GPO, see link
@ http://lpakb.stbernard.com/webhelp/ODS/EnterpriseWebFilter/SupportFiles/OD0070.htm
0
 

Author Comment

by:JPerkins_MMH
ID: 33599290
Thanks so much for the info and links breadtan.  I'll check those out.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2011 Backup Drive 8 76
Remote control Windows CE 7 97
Picture size 4 36
Workstation for Server 2012 r2 Essentials keeps dropping from domain 7 29
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question