Who Connects to Your Computer?

Who connects to your computer?

Who connects to your computer? You can be notified by an MSN-like popup window while doing your work. The program can also create its own log file for all historical logon events. The log file created in the sample code is called called evlogger.txt and can be found in the application (evNotify.exe) folder.

The idea to write this code came from Tom Archer's article: Monitoring the Windows Event Log

Before running the program please check if you have switched on "Audit logon events":

  1. Open: Control Panel \ Admin Tools \ Local Security Policy
  2. Go to: Local Policies \ Audit Policy
  3. Double click on Audit logon events and check "Audit events on Success / Failure".
This option creates events of the log-on/log-off category in the Windows security log upon every user's attempt to onto or off of the system.

Note: Your account should have privileges to manipulate "Local Security Policy."

EvNotify monitors Windows security log for the following logon events:
528 . Local logon account event.
540 . Network logon account event.
538 . Logoff event (local or network).

529 . Logon failure event (local or network).
539 . Account locked out.
535 . The specified account's password has expired.
531 . Account currently disabled.

You can refer to the link bellow for more detailed information:
Log-on type codes revealed

Program's popup window displays the following information:
User
Computer
Description - User
Description - Domain
Description - Logon type
Description - Workstation Name

Logon events are written in black.
Logoff events are written in blue.
Unsuccessful logon event are written in red.

Note: You could test the program by logging as another user for example:
runas /u:testuser cmd

Source code notes

In FormMaim.cs are instantiated the following important classes:

1. EventListener:

  • It's subscribed for EntryWritten events of EventLog (a standard .NET class providing interaction with Windows event logs).
  • It starts a working thread.
  • Its function, OnEntryWritten(), filters all received logon events and passes them to the working thread to be handled. In that way the thread receiving event log events has been freed to listen for new events.
2. SinkClass:
  • Receives messages from the working thread of EventListener class and passes them to MSNPopup window.
3. MSNPopup:
  • MSN like Popup window that displays logon event log entries.
Finally I'd like to mention that this is not the most precise way of getting all event notifications. You could miss some of them. A more professional approach would be to use good old VC++ development using native API calls.


Downloads

Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: April 29, 2014 @ 2:00 p.m. ET / 11:00 a.m. PT Leveraging Flash storage to accelerate an Oracle Real Application Clusters (RAC) environment is one of today's hottest technology topics. Oracle databases require guaranteed levels of storage performance and high availability of data. Until recently, Oracle RAC could only use Flash storage for SmartFlash Cache, which addresses some performance improvements, but limits the benefits that can be gained from a shared Flash infrastructure. Enter …

  • Live Event Date: May 6, 2014 @ 1:00 p.m. ET / 10:00 a.m. PT While you likely have very good reasons for remaining on WinXP after end of support -- an estimated 20-30% of worldwide devices still are -- the bottom line is your security risk is now significant. In the absence of security patches, attackers will certainly turn their attention to this new opportunity. Join Lumension Vice President Paul Zimski in this one-hour webcast to discuss risk and, more importantly, 5 pragmatic risk mitigation techniques …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds