Solved

Tool to extract information from Windows XP User Profiles?

Posted on 2010-08-31
11
532 Views
Last Modified: 2012-06-22
Hello everyone, hoping you guys can help me out.  I work in the IT Department at my workplace - with the Desktop Support group.  Recently, one of the departments at my workplace has had issues with some of their employees going to websites they shouldn't be going to, such as online gaming, cell phone sites, etc. I have been tasked with weeding out this information from these "general use" PC's that are exhibiting the problem sites.  I have never done this and I'm having trouble finding information on the subject.

As an example of the type of information I'm looking for:  On one particular PC, I need to find out all the people who logged in on a particular night in between 12:00AM and 6:00AM.  I also need to find out what websites they visited while logged in.

Can anyone recommend some programs/tools to help me with this (hopefully free software)?  Any advice/suggestions are welcome and appreciated.  Thanks for your time.
0
Comment
Question by:JPerkins_MMH
11 Comments
 
LVL 3

Expert Comment

by:vladh
ID: 33566807
0
 
LVL 5

Expert Comment

by:DanMar
ID: 33567195
If you are using a proxy server e.g. Forefront/ISA etc. this will be logged on the server and either built in reporting or third party tools are available.  Do you know what proxy is in use?
0
 
LVL 3

Expert Comment

by:ngcmos
ID: 33567380
well the brute force approach. go the the computer with a program called puppy linux  and go to the hard drive thats on the desktop and use this file path C:\Documents and Settings\user\Cookies. how ever if they are using a log in that is on a server domain then this method wont work
0
 

Author Comment

by:JPerkins_MMH
ID: 33567386
DanMar:
We currently do not have a proxy.  Our network admin is working on it, but it's only in testing phase (and likely will be that way for a long, long time).

vladh:
Thanks for the link.  I'll check that out.
0
 

Author Comment

by:JPerkins_MMH
ID: 33567459
ngcmos:
Yes, these computers are connected to my company's domain, and they are logging in with domain user accounts.  

vladh:
I checked the link, that doesn't really suit my current need.  I need to be able to check the logs of what they've already done.  I'm hoping that information is stored somewhere in their profiles local to each PC, and that there is a piece of software available (hopefully free) that will let me analyze that information for reporting to my superiors.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 5

Expert Comment

by:DanMar
ID: 33567822
WIthout a proxy not much is being logged outside the client PC.  I do suggest installing one.  There will be a few shareware/freeware ones out there.
To verify users & sites visited on the PCs you will need to check the event viewer on the machine & IE History.  Check security in Event Viewer and ensure history is enabled for previous x days e.g. 14 days in IE.  You could also click "view files" or check Temporary Internet folder and you will find the internet addresses visited.
This is not ideal for ongoing reporting.
0
 

Author Comment

by:JPerkins_MMH
ID: 33569096
Well, this won't be an ongoing report.  I found out you can check web history through the .DAT files in each profile.  It's not much, but it does show some information.  

Can you recommend a free proxy program?  I'd like to be prepared in the future with something I can install to check what websites were visited more thoroughly.
0
 

Author Comment

by:JPerkins_MMH
ID: 33569138
Also, I need to be able to tell who is logged into Windows when the websites are visited.  These are general use PC's, and can be used by anyone in the department.
0
 
LVL 5

Expert Comment

by:DanMar
ID: 33574687
You can find who is logged in through the security section in the event viewer based on time & date.
I have had a look for free proxy server software and found this one:  CCPROXY here
http://www.youngzsoft.net/   Wouldn't be much work to set up.  If you need to look for more options I would go to popular shareware sites, google etc. & search for proxy server windows free etc. and compare ratings and ensuring that they are recent releases i.e. 2009-2010.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 33598708
Since there is no proxy, central logs will take a while to verify (but do-able), check out the suspected user machine browser history. Can check out IEHistoryView @ http://blogs.techrepublic.com.com/window-on-windows/?p=745

This utility reads all information from the history file on your computer, and displays the list of all URLs that you have visited in the last few days. In addition, you are allowed to view the visited URL list of other user profiles on your computer, and even access the visited URL list on a remote computer, as long as you have permission to access the history folder.

Download @ http://www.nirsoft.net/utils/iehv.html

Also Pasco - A command line tool that runs on Unix or Windows and can reconstruct the internal structures for IE Index.dat files. Pasco accepts an Index.dat file, reconstructs the data, and outputs the information in a delimited text file format. The field
@ http://sourceforge.net/projects/odessa

Also verifying the event log on logon event will further confirm the user is login during the browsing event. See "Audit logon events" in article @ http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

Other info
==============
Suggest that the proxy be implemented since you are going to enforce web surfing to specific sites. You can check out BlueCoat @ http://www.bluecoat.com/products/webfilter. The key is that proxy client setting has to be locked as well so that bypassing the setting cannot be done by user easily.

Bluecoat has a proxy client to enforce this policy as machine global setting independent of browser. Alternatively, if IE browser is the only uniform browser appl used in the organisation, windows client has in built policy via the GPO, see link
@ http://lpakb.stbernard.com/webhelp/ODS/EnterpriseWebFilter/SupportFiles/OD0070.htm
0
 

Author Comment

by:JPerkins_MMH
ID: 33599290
Thanks so much for the info and links breadtan.  I'll check those out.
0

Featured Post

Can’t get the mobile email signature right?

Not having any luck when trying to create an email signature for mobile devices? Does the formatting keep messing up? Make sure you have great email signatures on all devices by using Exclaimer Cloud - Signatures for Office 365.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now