Re: audit access to cmd.exe
From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 11/19/03
- Next message: Flare: "Re: Problem with caspol.exe in FW 1.1"
- Previous message: Mike Burgess: "Re: Help - Tried almost everything!"
- In reply to: George Hester: "Re: audit access to cmd.exe"
- Next in thread: Karl Levinson [x y] mvp: "Re: audit access to cmd.exe"
- Reply: Karl Levinson [x y] mvp: "Re: audit access to cmd.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Nov 2003 09:25:07 -0500
You turn on accessing of all objects, then you set auditing on the
individual objects you want to see info on.
In my case, on a workgroup, I needed to add users individually. I only did
the one test, and got the name of the user involved, but it was me, at the
console. I've no idea what will happen if you use the "users" class on a
domain--whether you'll get individual names--I suspect you will get lots of
data.
"George Hester" <hesterloli@hotmail.com> wrote in message
news:uGSp0PlrDHA.2060@TK2MSFTNGP10.phx.gbl...
Well I know it is cmd.exe being accessed. I see it in processes. I was
going to do what you suggested. But I was afraid Local Security would audit
ALL my objects. And I really didn't want that. Just cmd.exe. So the way
you suggest is what I'll have to eh? Did you get the information I was
asking about? User IP address stuff like that?
-- George Hester __________________________________ "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message news:uVbtJejrDHA.1876@TK2MSFTNGP09.phx.gbl... > Don't have a quick answer for Windows 2000 Pro, but here's how I'd start > looking, in XP :( > > 1) secpol.msc--Security Settings, Local Policies, Audit Policy. > > "Audit Object Access" Success & failure > > 2) Explorer %windowsroot%\system32. Right-click cmd.exe and choose > properties. > Security tab > Advanced > auditing tab > (add people and set details here.) > > A single successful use of cmd.exe resulted in 40 some entries in my > Security log, so be prepared. > > I've no idea how this works in a domain--I'm at home, and haven't tested it > in a domain environment (i.e. do you add individual users in order to get > actual names?) > > I think I can recall reading that using Object Access auditing can swell > logfiles fast--hope somebody else can suggest a better solution. > > What about command.exe? > > "George Hester" <hesterloli@hotmail.com> wrote in message > news:OsWebHirDHA.1784@TK2MSFTNGP09.phx.gbl... > How do I do that in Windows 2000 Professional. I would like to know the > UserID of who accesses it. The time. If it is remote the IP address. > Thanks. > > -- > George Hester > __________________________________ > >
- Next message: Flare: "Re: Problem with caspol.exe in FW 1.1"
- Previous message: Mike Burgess: "Re: Help - Tried almost everything!"
- In reply to: George Hester: "Re: audit access to cmd.exe"
- Next in thread: Karl Levinson [x y] mvp: "Re: audit access to cmd.exe"
- Reply: Karl Levinson [x y] mvp: "Re: audit access to cmd.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
