Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Prove Application was Run on Windows Server

Posted on 2011-02-14
6
Medium Priority
?
944 Views
Last Modified: 2012-05-11
I have a situation where a person has mapped a drive and has run an application they were not suppose to. I know the Windows7 Desktop they were on and the time of the incident. I also The application that was run. The person has admitted that they have made a mistake. I want proof from the Windows system logs as proof that the incedent happened at the person said it did. How and what do I need to collect and collate to prove this?

Service is Windows 2003, Desktop is Windows7 it is an enterprise domain.
0
Comment
Question by:JeffSchaper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 34894331
If you haven't enabled auditing, then there is nothing in the system log UNLESS the application ran SPECIFICALLY and intentionally writes to it.  Depending on the app, MAYBE it created settings in the user's profile.... but it really depends on the app.  
0
 
LVL 4

Author Comment

by:JeffSchaper
ID: 34911779
So I'm not able to see the person map the drive to the share manually? The person typed in the unc path to get to the share.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 34911856
There may be MRU (most Recently used) lists in the registry, but if the user is no longer connected, I don't recall any way of knowing if they were via event logs.  And if auditing wasn't enabled on the server/application executable, then there is definitely no way to know that the user actually executed the program.  (Why did the user even have permission (NTFS Permissions) to access the file if he wasn't supposed to?
0
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 34912630
So the C grade is because I couldn't tell you how to do the impossible?
0
 
LVL 4

Author Comment

by:JeffSchaper
ID: 34912688
Sorry leew, the C Grade was in response to my satisfaction, not your expertise. I can tell you are a very intelligent person. If I could change the grade I would.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question