Sign in with
Sign up | Sign in
Your question

Available XP Logs

Last response: in Windows XP
Share
Anonymous
a b 8 Security
April 6, 2005 8:24:46 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Have an XP Pro machine, that I am trying to find out what user and when
some changes were made. Any suggestions?


--
MrsFaze
------------------------------------------------------------------------
MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048

More about : logs

Anonymous
a b 8 Security
April 6, 2005 8:24:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Event Viewer

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/documentation/window...

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:MrsFaze.1n34wz@no-mx.forums.iamnotageek.com,
MrsFaze <MrsFaze.1n34wz@no-mx.forums.iamnotageek.com> hunted and pecked:
> Have an XP Pro machine, that I am trying to find out what user and when
> some changes were made. Any suggestions?
>
>
> --
> MrsFaze
> ------------------------------------------------------------------------
> MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
> View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
Related resources
April 12, 2005 8:01:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

MrsFaze wrote:

>
> What I am looking for is to try and recover items deleted from event
> viewer to cover up what was done to this pc. Any suggestions?
>
>
Unless you had auditing enabled (and IIRC this is only available with XP
Pro), it is unlikely that you will find the clues you are looking for
(whatever that is). If you want more help from this newsgroup, you'll
need to be more specific about what you are looking for so that we can
possibly point you in a more definite direction. Otherwise, try
contacting a private investigator who has a specialty in computer
forensics.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
Anonymous
a b 8 Security
April 12, 2005 11:20:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

What I am looking for is someone deleted the Outlook Express Icon from a
users desktop, went into taskbar properties, start menu, customize and
unchecked Outlook Express(user could have done this). But most
importantly, changed the user access to administrator, signed on as the
user, went to set program access and default and unchecked outlook
express, then changed the user access rights back to user, so that
outlook express did not show up on just that one users program list(at
least that is the only way I know how to do that). The items were
there on 3-28-05 (user was out on 3-29-05) on 3-30-05 when user came
back in they were gone. There were no log entries at all for the 29th
when I have been told there were 2 different people at this computer
using it on the 29th. I am trying to figure out when and who if at all
possible this was done. User is being blamed and will be disaplined if
I can't find anything.


--
MrsFaze
------------------------------------------------------------------------
MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
April 13, 2005 10:29:05 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

MrsFaze wrote:

>
> What I am looking for is someone deleted the Outlook Express Icon from
> a users desktop, went into taskbar properties, start menu, customize
> and
> unchecked Outlook Express(user could have done this). But most
> importantly, changed the user access to administrator, signed on as
> the user, went to set program access and default and unchecked outlook
> express, then changed the user access rights back to user, so that
> outlook express did not show up on just that one users program list(at
> least that is the only way I know how to do that). The items were
> there on 3-28-05 (user was out on 3-29-05) on 3-30-05 when user came
> back in they were gone. There were no log entries at all for the 29th
> when I have been told there were 2 different people at this computer
> using it on the 29th. I am trying to figure out when and who if at
> all
> possible this was done. User is being blamed and will be disaplined
> if I can't find anything.
>

AFAIK, unless you had enabled auditing, there is no way to determine
this. Here is a link to an MS article explaining auditing in XP Pro:

http://tinyurl.com/3ocvp

If you have an IT Dept., they may have auditing enabled and they should
be consulted. If this is a standalone or workstation in a non-domain
environment and there is no IT Dept., then consider calling a computer
forensics company.

Why would someone go through all that trouble just to delete a desktop
icon? What possible purpose would that serve? It really doesn't make a
lot of sense. Good luck, in any case.

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
Anonymous
a b 8 Security
April 13, 2005 1:51:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke,

Thanks, actually I am the IT department, but I am better with
non-windows, the actual hardware and networks. Having to get a better
grasp on Windows, but I am behind. Have a little department war going
on, they have already crashed a hard drive and a lot of other petty
stuff. At the time this happened I did not have auditing turned on, I
do now. I just don't want the primary user to get in trouble for this
as I do not think she is capable of doing this. I am pretty sure I
know who, but need to prove it. By the way, what did you mean by IIRC?
That is something I have not run accross in all my studying. Any other
tips would be appreciated as well.


--
MrsFaze
------------------------------------------------------------------------
MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
April 14, 2005 10:31:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

MrsFaze wrote:

>
> Malke,
>
> Thanks, actually I am the IT department, but I am better with
> non-windows, the actual hardware and networks. Having to get a better
> grasp on Windows, but I am behind. Have a little department war going
> on, they have already crashed a hard drive and a lot of other petty
> stuff. At the time this happened I did not have auditing turned on, I
> do now. I just don't want the primary user to get in trouble for this
> as I do not think she is capable of doing this. I am pretty sure I
> know who, but need to prove it. By the way, what did you mean by
> IIRC?
> That is something I have not run accross in all my studying. Any
> other tips would be appreciated as well.
>
>

I would suggest you call in an outside professional to help you get set
up. It is not possible for users to "crash a hard drive" by simply
using the operating system. Of course they can hose the operating
system, but physically damaging a hard drive from within Windows is not
possible.

"IIRC" is short for "If I Recall Correctly".

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
Anonymous
a b 8 Security
April 14, 2005 1:44:13 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Malke,

Thanks I'll see what I can find, we are in a small town not anyone here
with the kind of knowledge I need. I guess it would have been more
acurate for me to say "crash the operating system". I appreciate the
help and information:) 


--
MrsFaze
------------------------------------------------------------------------
MrsFaze's Profile: http://www.iamnotageek.com/member.php?userid=8826
View this thread: http://www.iamnotageek.com/showthread.php?t=1819058048
!