Cycling and bicycle discussion forums. 
   Click here to join our community Log in to access your Control Panel  


Go Back   > >

Foo Off-Topic chit chat with no general subject.

User Tag List

Reply
 
Thread Tools Search this Thread
Old 02-16-09, 06:58 AM   #1
SonataInFSharp
Senior Member
Thread Starter
 
Join Date: Apr 2007
Location: Minneapolis, MN
Bikes:
Posts: 176
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
How to Find out which User Installed an Application?

We have an issue where I work where, on a shared workstation, a user keeps installing a non-approved application which has serious conflicts with work-required applications.

Is there a way I can figure out which user is installing the application (over and over and over each time it's uninstalled)? I talked with IT and they know less about computers than my sister, so my one co-worker and I basically are the immediate IT team.

Windows XP Pro SP3 and I am an admin on the workstations in question.

A Google search wasn't very helpful, probably because I don't know what I am searching for, so I'd thought I'd FOOgle it!

Thanks in advance!
SonataInFSharp is offline   Reply With Quote
Old 02-16-09, 07:08 AM   #2
Taerom
Hazardous
 
Taerom's Avatar
 
Join Date: Jun 2005
Location: Quarantine
Bikes: 2005 Trek Liquid 55, 2009 Haro Mary SS
Posts: 727
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Put a big fake house plant next to the computer and hide behind it. Wait until the perp uses the computer and installs the application, then jump out and yell "Got'cha!"
Taerom is offline   Reply With Quote
Old 02-16-09, 08:50 AM   #3
valygrl
Senior Member
 
Join Date: Jul 2003
Location: Boulder, CO
Bikes:
Posts: 8,371
Mentioned: 40 Post(s)
Tagged: 0 Thread(s)
Quoted: 59 Post(s)
Wow, your IT allows users to install applications?
valygrl is offline   Reply With Quote
Old 02-16-09, 09:09 AM   #4
SonataInFSharp
Senior Member
Thread Starter
 
Join Date: Apr 2007
Location: Minneapolis, MN
Bikes:
Posts: 176
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by valygrl View Post
Wow, your IT allows users to install applications?
Generally, no, but our department has special workstation privileges due to other stuff which requires those special privileges. But, if the privileges get abused, well... this happens.
SonataInFSharp is offline   Reply With Quote
Old 02-16-09, 09:21 AM   #5
vja4Him
Biking 4 Life
 
vja4Him's Avatar
 
Join Date: Mar 2008
Location: Modesto, California
Bikes: 27-speed Surly Long Haul Trucker, 2009; 18-speed Mongoose Switchback (1990); 21-speed Electra Townie (2008)
Posts: 666
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Join a Computer Forum ...

Quote:
Originally Posted by SonataInFSharp View Post
We have an issue where I work where, on a shared workstation, a user keeps installing a non-approved application which has serious conflicts with work-required applications.

Is there a way I can figure out which user is installing the application (over and over and over each time it's uninstalled)? I talked with IT and they know less about computers than my sister, so my one co-worker and I basically are the immediate IT team.

Windows XP Pro SP3 and I am an admin on the workstations in question.

A Google search wasn't very helpful, probably because I don't know what I am searching for, so I'd thought I'd FOOgle it!

Thanks in advance!
You need to join a computer forum. You will get the help you need to find out who the culprit is!
vja4Him is offline   Reply With Quote
Old 02-16-09, 09:25 AM   #6
StupidlyBrave 
Chepooka
 
StupidlyBrave's Avatar
 
Join Date: Sep 2006
Location: South Central PA
Bikes: 1990 Trek 1400 7spd; 2001 Litespeed Arenberg 10 speed
Posts: 1,167
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 4 Post(s)
This app uses the software registry, does it not?

I suggest remotely monitoring this machine's registry looking for the incriminating key to show up. Log non-existence and existence in a log file and later compare to the system's event log (to get the logged-in user id).

Perl's Win32::TieRegistry module would seem to be a good place to start...
StupidlyBrave is offline   Reply With Quote
Old 02-16-09, 10:10 AM   #7
banerjek
Portland Fred
 
banerjek's Avatar
 
Join Date: Oct 2005
Bikes: Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
Posts: 11,214
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 28 Post(s)
I haven't had to screw around with group policy for years, but it's easy enough to make it so files with names matching certain patterns or falling in certain directories cannot be executed. That will let you target the app without screwing everything else up. After he installs it a few times and it doesn't work, he'll give up.

Most apps are internet aware or must be downloaded from specific locations. You could also add an entry (or entries) to the hosts file that points to 127.0.0.1 which will make it impossible for him to download or use the software.

Although these tricks are very simple, the picture you paint suggests that the users are not sophisticated enough to undo them.

The event viewer could contain clues about who's installing it. The app is bound to leave files in the users home directory if timestamps don't give everything away.

Last edited by banerjek; 02-16-09 at 10:15 AM.
banerjek is offline   Reply With Quote
Old 02-16-09, 10:19 AM   #8
RubenX 
Look! My Spine!
 
RubenX's Avatar
 
Join Date: Apr 2008
Location: Kissimmee, FL
Bikes:
Posts: 619
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 2 Post(s)
Quote:
Originally Posted by valygrl View Post
Wow, your IT allows users to install applications?
I thought the same thing...Most don't even allow the use of thumb drives anymore....
RubenX is offline   Reply With Quote
Old 02-16-09, 12:54 PM   #9
banerjek
Portland Fred
 
banerjek's Avatar
 
Join Date: Oct 2005
Bikes: Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
Posts: 11,214
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 28 Post(s)
Quote:
Originally Posted by RubenX View Post
I thought the same thing...Most don't even allow the use of thumb drives anymore....
I love places like that -- disable the machines and wreck productivity in the name of making things work.

At my last job where I was head of systems, I implemented the policy of letting people be admins on their own machines. Guidelines were issued, but the most important thing for everyone to know is that those caught abusing this privilege would have their machines totally locked down.

We found that this works for the vast majority (around 95%) of people. Audits of machines and network activity showed that recreational use of resources was minimal. When you put up barriers, people find ways to circumvent them and waste time/resources doing so. It's better to just focus on the knuckleheads rather than on most people who do what they should.
banerjek is offline   Reply With Quote
Old 02-16-09, 01:08 PM   #10
iamlucky13
Footballus vita est
 
iamlucky13's Avatar
 
Join Date: Jun 2002
Location: Portland, OR
Bikes: Trek 4500, Kona Dawg
Posts: 2,118
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by banerjek View Post
I love places like that -- disable the machines and wreck productivity in the name of making things work.

At my last job where I was head of systems, I implemented the policy of letting people be admins on their own machines. Guidelines were issued, but the most important thing for everyone to know is that those caught abusing this privilege would have their machines totally locked down.

We found that this works for the vast majority (around 95%) of people. Audits of machines and network activity showed that recreational use of resources was minimal. When you put up barriers, people find ways to circumvent them and waste time/resources doing so. It's better to just focus on the knuckleheads rather than on most people who do what they should.
Amen!

My last workplace was like that. Unfortunately, however, they also used the crappy software builds that Lenovo ships their systems with. When they upgraded my computer from a T42 to a T60, despite both having XP, the newer one took almost twice as long to boot and did almost everything else slower, too.
__________________
"The internet is a place where absolutely nothing happens. You need to take advantage of that." ~ Strong Bad
iamlucky13 is offline   Reply With Quote
Old 02-16-09, 02:08 PM   #11
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,606
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
Locking down a system doesn't have to interfere with productivity. Just make sure all of the software you need to use is on the allowed list. Personally, I know I wasted over 800 hours in 1995 playing networked DOOM at the office. Same with websites. I don't see how blocking www.getfreeanimalporn.biz would in any way harm your business.

As for monitoring software, check these out:

http://www.keykeymonitor.com
http://www.freewarebox.com/free_145_...-download.html

Be sure to add whatever monitoring software you use to your antivirus exceptions list.

Last edited by DannoXYZ; 02-16-09 at 02:12 PM.
DannoXYZ is offline   Reply With Quote
Old 02-16-09, 04:19 PM   #12
banerjek
Portland Fred
 
banerjek's Avatar
 
Join Date: Oct 2005
Bikes: Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
Posts: 11,214
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 28 Post(s)
Quote:
Originally Posted by DannoXYZ View Post
Locking down a system doesn't have to interfere with productivity. Just make sure all of the software you need to use is on the allowed list.
This is true. If the systems dept has a pretty good grip on what users are doing, communication is good, and the systems dept has enough resources to respond quickly to requests a locked down machine won't get in the way of people. The network guys I work with are like that. This morning, I requested a domain name, IP, plus a wildcard DNS entry (explanation was provided with the request), and it was done within an hour.

However, if the people on support are overextended, don't understand how the software is used, define what people need based on uniformed gut reactions rather than understanding of what people do, or don't have a feel for how what they do affects others, the situation can be entirely different.

I have been on both ends of this with fabulous and crappy systems people. Systems departments tend to be understaffed which makes it hard for even good people to keep up. In such situations, it is usually better to have too little security than too much. What I always used to guide my actions was the "front page test" -- i.e. if a story explaining what you did appeared on the front page of the paper, you would still think you did the right thing.
banerjek is offline   Reply With Quote
Old 02-16-09, 05:59 PM   #13
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I'd turn auditing on, then periodically check the logs. The log files will be huge, but you can tell who installed what.

Windows 7 has a nice feature for enterprise use -- the App Locker. Each user can be assigned applications that they can run, and nothing else.
mlts22 is offline   Reply With Quote
Old 02-16-09, 06:09 PM   #14
x136 
phony collective progress
 
x136's Avatar
 
Join Date: Sep 2006
Location: San Hoosey
Bikes: http://velospace.org/user/36663
Posts: 2,981
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Bust some kneecaps. Someone will fess or point their horribly mangled finger.
__________________
x136 is offline   Reply With Quote
Old 02-17-09, 12:29 PM   #15
SonataInFSharp
Senior Member
Thread Starter
 
Join Date: Apr 2007
Location: Minneapolis, MN
Bikes:
Posts: 176
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
I figured it out the really old fashioned way... I checked the work schedule and it just so happened only one person worked between shifts during the time I was there and the app was installed again, so I got 'em. It was pure luck; the chances of being so obvious like that normally wouldn't happen (normally far too many people would have touched the computer during that time frame).
SonataInFSharp is offline   Reply With Quote
Old 02-17-09, 01:45 PM   #16
mlts22 
Senior Member
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
One program I highly recommend, but it is expensive, is VMWare's ThinApp, formerly Thinstall. Most apps that require admin rights can be "wrapped" by this utility and only run as a user. This allows places to not have to give users administrative rights on machines.

Thinstall does not work with apps that need drivers to function (like TrueCrypt), but for most things, it is pretty good. It also allows an admin to easily slipstream upgraded versions as well.
mlts22 is offline   Reply With Quote
Old 02-17-09, 01:51 PM   #17
jsharr
You Know!? For Kids!
 
jsharr's Avatar
 
Join Date: Apr 2005
Location: Just NW of Richardson Bike Mart
Bikes: '05 Trek 1200 / '90 Trek 8000 / '? Falcon Europa
Posts: 6,157
Mentioned: 3 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
Quote:
Originally Posted by x136 View Post
Bust some kneecaps. Someone will fess or point their horribly mangled finger.
You failed anatomy didn't you?
__________________
Are you a registered member? Why not? Click here to register. It's free and only takes 27 seconds! Help out the forums, abide by our community guidelines.
Quote:
Originally Posted by colorider View Post
Phobias are for irrational fears. Fear of junk ripping badgers is perfectly rational. Those things are nasty.
jsharr is offline   Reply With Quote
Old 02-17-09, 01:53 PM   #18
x136 
phony collective progress
 
x136's Avatar
 
Join Date: Sep 2006
Location: San Hoosey
Bikes: http://velospace.org/user/36663
Posts: 2,981
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by jsharr View Post
You failed anatomy didn't you?
Tell someone you're about to bust their kneecaps. What's the first thing they do? Try to protect their kneecaps... with their hands.
__________________
x136 is offline   Reply With Quote
Old 02-17-09, 02:05 PM   #19
CliftonGK1
Senior Member
 
CliftonGK1's Avatar
 
Join Date: Jul 2006
Location: Columbus, OH
Bikes: '08 Surly Cross-Check, 2011 Redline Conquest Pro, 2012 Spesh FSR Comp EVO, 2015 Trek Domane 6.2 disc
Posts: 11,380
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by x136 View Post
Tell someone you're about to bust their kneecaps. What's the first thing they do? Try to protect their kneecaps... with their hands.
Not if you tie their hands behind the chair first.


... amateurs.
__________________
"I feel like my world was classier before I found cyclocross."
- Mandi M.
CliftonGK1 is offline   Reply With Quote
Old 02-17-09, 02:21 PM   #20
x136 
phony collective progress
 
x136's Avatar
 
Join Date: Sep 2006
Location: San Hoosey
Bikes: http://velospace.org/user/36663
Posts: 2,981
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by CliftonGK1 View Post
Not if you tie their hands behind the chair first.


... amateurs.
That just makes more work when you want to also break their fingers. Why not let their reflexes help you out?
__________________
x136 is offline   Reply With Quote
Old 02-17-09, 04:53 PM   #21
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,606
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 3 Post(s)
You guys ever seen a knee bent backwards in reverse???
DannoXYZ is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -6. The time now is 06:14 AM.