Available XP Logs

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Have an XP Pro machine, that I am trying to find out what user and when
some changes were made. Any suggestions?


--
MrsFaze
------------------------------------------------------------------------
MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
9 answers Last reply
More about available logs
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Event Viewer

    To open the Event Viewer...
    Start | Run | Type: eventvwr | OK

    HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

    Event Viewer overview
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/event_overview_01.mspx

    --
    Hope this helps. Let us know.

    Wes
    MS-MVP Windows Shell/User

    In news:MrsFaze.1n34wz@no-mx.forums.iamnotageek.com,
    MrsFaze <MrsFaze.1n34wz@no-mx.forums.iamnotageek.com> hunted and pecked:
    > Have an XP Pro machine, that I am trying to find out what user and when
    > some changes were made. Any suggestions?
    >
    >
    > --
    > MrsFaze
    > ------------------------------------------------------------------------
    > MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
    > View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    What I am looking for is to try and recover items deleted from event
    viewer to cover up what was done to this pc. Any suggestions?


    --
    MrsFaze
    ------------------------------------------------------------------------
    MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    MrsFaze wrote:

    >
    > What I am looking for is to try and recover items deleted from event
    > viewer to cover up what was done to this pc. Any suggestions?
    >
    >
    Unless you had auditing enabled (and IIRC this is only available with XP
    Pro), it is unlikely that you will find the clues you are looking for
    (whatever that is). If you want more help from this newsgroup, you'll
    need to be more specific about what you are looking for so that we can
    possibly point you in a more definite direction. Otherwise, try
    contacting a private investigator who has a specialty in computer
    forensics.

    Malke
    --
    MS MVP - Windows Shell/User
    www.elephantboycomputers.com
    In Memoriam - MVP Alex Nichol
    The world is diminished without him.
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    What I am looking for is someone deleted the Outlook Express Icon from a
    users desktop, went into taskbar properties, start menu, customize and
    unchecked Outlook Express(user could have done this). But most
    importantly, changed the user access to administrator, signed on as the
    user, went to set program access and default and unchecked outlook
    express, then changed the user access rights back to user, so that
    outlook express did not show up on just that one users program list(at
    least that is the only way I know how to do that). The items were
    there on 3-28-05 (user was out on 3-29-05) on 3-30-05 when user came
    back in they were gone. There were no log entries at all for the 29th
    when I have been told there were 2 different people at this computer
    using it on the 29th. I am trying to figure out when and who if at all
    possible this was done. User is being blamed and will be disaplined if
    I can't find anything.


    --
    MrsFaze
    ------------------------------------------------------------------------
    MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    MrsFaze wrote:

    >
    > What I am looking for is someone deleted the Outlook Express Icon from
    > a users desktop, went into taskbar properties, start menu, customize
    > and
    > unchecked Outlook Express(user could have done this). But most
    > importantly, changed the user access to administrator, signed on as
    > the user, went to set program access and default and unchecked outlook
    > express, then changed the user access rights back to user, so that
    > outlook express did not show up on just that one users program list(at
    > least that is the only way I know how to do that). The items were
    > there on 3-28-05 (user was out on 3-29-05) on 3-30-05 when user came
    > back in they were gone. There were no log entries at all for the 29th
    > when I have been told there were 2 different people at this computer
    > using it on the 29th. I am trying to figure out when and who if at
    > all
    > possible this was done. User is being blamed and will be disaplined
    > if I can't find anything.
    >

    AFAIK, unless you had enabled auditing, there is no way to determine
    this. Here is a link to an MS article explaining auditing in XP Pro:

    http://tinyurl.com/3ocvp

    If you have an IT Dept., they may have auditing enabled and they should
    be consulted. If this is a standalone or workstation in a non-domain
    environment and there is no IT Dept., then consider calling a computer
    forensics company.

    Why would someone go through all that trouble just to delete a desktop
    icon? What possible purpose would that serve? It really doesn't make a
    lot of sense. Good luck, in any case.

    Malke
    --
    MS MVP - Windows Shell/User
    www.elephantboycomputers.com
    In Memoriam - MVP Alex Nichol
    The world is diminished without him.
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Also, as I am not up to speed on Windows what do you mean by IIRC - It
    is Windows XP PRO.


    --
    MrsFaze
    ------------------------------------------------------------------------
    MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Malke,

    Thanks, actually I am the IT department, but I am better with
    non-windows, the actual hardware and networks. Having to get a better
    grasp on Windows, but I am behind. Have a little department war going
    on, they have already crashed a hard drive and a lot of other petty
    stuff. At the time this happened I did not have auditing turned on, I
    do now. I just don't want the primary user to get in trouble for this
    as I do not think she is capable of doing this. I am pretty sure I
    know who, but need to prove it. By the way, what did you mean by IIRC?
    That is something I have not run accross in all my studying. Any other
    tips would be appreciated as well.


    --
    MrsFaze
    ------------------------------------------------------------------------
    MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    MrsFaze wrote:

    >
    > Malke,
    >
    > Thanks, actually I am the IT department, but I am better with
    > non-windows, the actual hardware and networks. Having to get a better
    > grasp on Windows, but I am behind. Have a little department war going
    > on, they have already crashed a hard drive and a lot of other petty
    > stuff. At the time this happened I did not have auditing turned on, I
    > do now. I just don't want the primary user to get in trouble for this
    > as I do not think she is capable of doing this. I am pretty sure I
    > know who, but need to prove it. By the way, what did you mean by
    > IIRC?
    > That is something I have not run accross in all my studying. Any
    > other tips would be appreciated as well.
    >
    >

    I would suggest you call in an outside professional to help you get set
    up. It is not possible for users to "crash a hard drive" by simply
    using the operating system. Of course they can hose the operating
    system, but physically damaging a hard drive from within Windows is not
    possible.

    "IIRC" is short for "If I Recall Correctly".

    Malke
    --
    MS MVP - Windows Shell/User
    www.elephantboycomputers.com
    In Memoriam - MVP Alex Nichol
    The world is diminished without him.
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Malke,

    Thanks I'll see what I can find, we are in a small town not anyone here
    with the kind of knowledge I need. I guess it would have been more
    acurate for me to say "crash the operating system". I appreciate the
    help and information:)


    --
    MrsFaze
    ------------------------------------------------------------------------
    MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
    View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
Ask a new question

Read More

Security Microsoft Windows XP