NT Gatekeeper: Setting Up Auditing to Track Application Use

To get a clearer view of the number of employees who use a particular internal accounting software program, my Chief Information Officer (CIO) wants me to monitor the execution of the accounting program on users' desktops. To do so, I want to trace an event that's logged to Windows NT Event Viewer every time a user executes the program. How can I set up the trace?

To log an event to Event Viewer every time your accounting software runs, set up the appropriate audit settings on the program's executable file. Take, for example, the Windows clock.exe program. To log an event every time the Windows clock starts,

  • Configure auditing on the clock.exe file for the Everyone group and the Traverse folder/Execute file access right. You can configure auditing from the clock.exe file's security properties.

  • Configure auditing for File and Object Access by using the User Manager's Audit Policy Configuration dialog box.

Every time clock.exe executes, you'll notice event ID 560 (Object access) followed by event ID 562 (Handle closed) in Event Viewer's security log. In the description of event ID 560, you'll find a reference to the clock.exe object.

To gather the security logs from your user desktops, you can use the Microsoft Windows NT Server 4.0 Resource Kit dumpel.exe utility. Dumpel.exe dumps the content of the event log for a local or remote system into a tab-separated text file. In the example, at the command line, you would type

dumpel -s MyServer -l security -m security -e 560 -f out.txt

where ­s specifies the name of the machine whose event logs you want to dump (in the example, MyServer), ­l specifies which log to dump (e.g., security, application, system), ­m specifies the event source, ­e is a filtering switch that specifies the event ID to be filtered out, and ­f spec-ifies the name of the file to which dumpel .exe will write the dump results.

You can run dumpel.exe in batch mode (to cover all workstations) from an administrator's desktop. The Micro-soft article "Automating Detection of Logon Failures In a Windows NT Domain" (http://support.microsoft .com/support/kb/articles/q171/1/48 .asp) shows a similar batch script used to monitor domain controller (DC) logon failures. After you gather the event-log data, you can import the data into a database such as Microsoft Access for analysis.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.