Advertise on Bikeforums.net



User Tag List

Results 1 to 21 of 21
  1. #1
    Senior Member
    Join Date
    Apr 2007
    Location
    Minneapolis, MN
    Posts
    176
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to Find out which User Installed an Application?

    We have an issue where I work where, on a shared workstation, a user keeps installing a non-approved application which has serious conflicts with work-required applications.

    Is there a way I can figure out which user is installing the application (over and over and over each time it's uninstalled)? I talked with IT and they know less about computers than my sister, so my one co-worker and I basically are the immediate IT team.

    Windows XP Pro SP3 and I am an admin on the workstations in question.

    A Google search wasn't very helpful, probably because I don't know what I am searching for, so I'd thought I'd FOOgle it!

    Thanks in advance!

  2. #2
    Hazardous Taerom's Avatar
    Join Date
    Jun 2005
    Location
    Quarantine
    My Bikes
    2005 Trek Liquid 55, 2009 Haro Mary SS
    Posts
    727
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Put a big fake house plant next to the computer and hide behind it. Wait until the perp uses the computer and installs the application, then jump out and yell "Got'cha!"

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Location
    Boulder, CO
    Posts
    7,497
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow, your IT allows users to install applications?
    ...

  4. #4
    Senior Member
    Join Date
    Apr 2007
    Location
    Minneapolis, MN
    Posts
    176
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by valygrl View Post
    Wow, your IT allows users to install applications?
    Generally, no, but our department has special workstation privileges due to other stuff which requires those special privileges. But, if the privileges get abused, well... this happens.

  5. #5
    Biking 4 Life vja4Him's Avatar
    Join Date
    Mar 2008
    Location
    Modesto, California
    My Bikes
    27-speed Surly Long Haul Trucker, 2009; 18-speed Mongoose Switchback (1990); 21-speed Electra Townie (2008)
    Posts
    662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Join a Computer Forum ...

    Quote Originally Posted by SonataInFSharp View Post
    We have an issue where I work where, on a shared workstation, a user keeps installing a non-approved application which has serious conflicts with work-required applications.

    Is there a way I can figure out which user is installing the application (over and over and over each time it's uninstalled)? I talked with IT and they know less about computers than my sister, so my one co-worker and I basically are the immediate IT team.

    Windows XP Pro SP3 and I am an admin on the workstations in question.

    A Google search wasn't very helpful, probably because I don't know what I am searching for, so I'd thought I'd FOOgle it!

    Thanks in advance!
    You need to join a computer forum. You will get the help you need to find out who the culprit is!

  6. #6
    Chepooka StupidlyBrave's Avatar
    Join Date
    Sep 2006
    Location
    South Central PA
    My Bikes
    1990 Trek 1400 7spd; 2001 Litespeed Arenberg 10 speed
    Posts
    1,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This app uses the software registry, does it not?

    I suggest remotely monitoring this machine's registry looking for the incriminating key to show up. Log non-existence and existence in a log file and later compare to the system's event log (to get the logged-in user id).

    Perl's Win32::TieRegistry module would seem to be a good place to start...

  7. #7
    Portland Fred banerjek's Avatar
    Join Date
    Oct 2005
    My Bikes
    Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
    Posts
    10,645
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    I haven't had to screw around with group policy for years, but it's easy enough to make it so files with names matching certain patterns or falling in certain directories cannot be executed. That will let you target the app without screwing everything else up. After he installs it a few times and it doesn't work, he'll give up.

    Most apps are internet aware or must be downloaded from specific locations. You could also add an entry (or entries) to the hosts file that points to 127.0.0.1 which will make it impossible for him to download or use the software.

    Although these tricks are very simple, the picture you paint suggests that the users are not sophisticated enough to undo them.

    The event viewer could contain clues about who's installing it. The app is bound to leave files in the users home directory if timestamps don't give everything away.
    Last edited by banerjek; 02-16-09 at 10:15 AM.

  8. #8
    Look! My Spine! RubenX's Avatar
    Join Date
    Apr 2008
    Location
    Winter Springs, FL
    Posts
    619
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by valygrl View Post
    Wow, your IT allows users to install applications?
    I thought the same thing...Most don't even allow the use of thumb drives anymore....

  9. #9
    Portland Fred banerjek's Avatar
    Join Date
    Oct 2005
    My Bikes
    Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
    Posts
    10,645
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by RubenX View Post
    I thought the same thing...Most don't even allow the use of thumb drives anymore....
    I love places like that -- disable the machines and wreck productivity in the name of making things work.

    At my last job where I was head of systems, I implemented the policy of letting people be admins on their own machines. Guidelines were issued, but the most important thing for everyone to know is that those caught abusing this privilege would have their machines totally locked down.

    We found that this works for the vast majority (around 95%) of people. Audits of machines and network activity showed that recreational use of resources was minimal. When you put up barriers, people find ways to circumvent them and waste time/resources doing so. It's better to just focus on the knuckleheads rather than on most people who do what they should.

  10. #10
    Footballus vita est iamlucky13's Avatar
    Join Date
    Jun 2002
    Location
    Portland, OR
    My Bikes
    Trek 4500, Kona Dawg
    Posts
    2,118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by banerjek View Post
    I love places like that -- disable the machines and wreck productivity in the name of making things work.

    At my last job where I was head of systems, I implemented the policy of letting people be admins on their own machines. Guidelines were issued, but the most important thing for everyone to know is that those caught abusing this privilege would have their machines totally locked down.

    We found that this works for the vast majority (around 95%) of people. Audits of machines and network activity showed that recreational use of resources was minimal. When you put up barriers, people find ways to circumvent them and waste time/resources doing so. It's better to just focus on the knuckleheads rather than on most people who do what they should.
    Amen!

    My last workplace was like that. Unfortunately, however, they also used the crappy software builds that Lenovo ships their systems with. When they upgraded my computer from a T42 to a T60, despite both having XP, the newer one took almost twice as long to boot and did almost everything else slower, too.
    "The internet is a place where absolutely nothing happens. You need to take advantage of that." ~ Strong Bad

  11. #11
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,507
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Locking down a system doesn't have to interfere with productivity. Just make sure all of the software you need to use is on the allowed list. Personally, I know I wasted over 800 hours in 1995 playing networked DOOM at the office. Same with websites. I don't see how blocking www.getfreeanimalporn.biz would in any way harm your business.

    As for monitoring software, check these out:

    http://www.keykeymonitor.com
    http://www.freewarebox.com/free_145_...-download.html

    Be sure to add whatever monitoring software you use to your antivirus exceptions list.
    Last edited by DannoXYZ; 02-16-09 at 02:12 PM.

  12. #12
    Portland Fred banerjek's Avatar
    Join Date
    Oct 2005
    My Bikes
    Custom Winter, Challenge Seiran SL, Fuji Team Pro, Cattrike Road/Velokit, РOS hybrid
    Posts
    10,645
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DannoXYZ View Post
    Locking down a system doesn't have to interfere with productivity. Just make sure all of the software you need to use is on the allowed list.
    This is true. If the systems dept has a pretty good grip on what users are doing, communication is good, and the systems dept has enough resources to respond quickly to requests a locked down machine won't get in the way of people. The network guys I work with are like that. This morning, I requested a domain name, IP, plus a wildcard DNS entry (explanation was provided with the request), and it was done within an hour.

    However, if the people on support are overextended, don't understand how the software is used, define what people need based on uniformed gut reactions rather than understanding of what people do, or don't have a feel for how what they do affects others, the situation can be entirely different.

    I have been on both ends of this with fabulous and crappy systems people. Systems departments tend to be understaffed which makes it hard for even good people to keep up. In such situations, it is usually better to have too little security than too much. What I always used to guide my actions was the "front page test" -- i.e. if a story explaining what you did appeared on the front page of the paper, you would still think you did the right thing.

  13. #13
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd turn auditing on, then periodically check the logs. The log files will be huge, but you can tell who installed what.

    Windows 7 has a nice feature for enterprise use -- the App Locker. Each user can be assigned applications that they can run, and nothing else.

  14. #14
    phony collective progress x136's Avatar
    Join Date
    Sep 2006
    Location
    San Hoosey
    My Bikes
    http://velospace.org/user/36663
    Posts
    2,983
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Bust some kneecaps. Someone will fess or point their horribly mangled finger.

  15. #15
    Senior Member
    Join Date
    Apr 2007
    Location
    Minneapolis, MN
    Posts
    176
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I figured it out the really old fashioned way... I checked the work schedule and it just so happened only one person worked between shifts during the time I was there and the app was installed again, so I got 'em. It was pure luck; the chances of being so obvious like that normally wouldn't happen (normally far too many people would have touched the computer during that time frame).

  16. #16
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One program I highly recommend, but it is expensive, is VMWare's ThinApp, formerly Thinstall. Most apps that require admin rights can be "wrapped" by this utility and only run as a user. This allows places to not have to give users administrative rights on machines.

    Thinstall does not work with apps that need drivers to function (like TrueCrypt), but for most things, it is pretty good. It also allows an admin to easily slipstream upgraded versions as well.

  17. #17
    You Know!? For Kids! jsharr's Avatar
    Join Date
    Apr 2005
    Location
    Just NW of Richardson Bike Mart
    My Bikes
    '05 Trek 1200 / '90 Trek 8000 / '? Falcon Europa
    Posts
    6,117
    Mentioned
    12 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by x136 View Post
    Bust some kneecaps. Someone will fess or point their horribly mangled finger.
    You failed anatomy didn't you?
    Are you a registered member? Why not? Click here to register. It's free and only takes 27 seconds! Help out the forums, abide by our community guidelines.
    Quote Originally Posted by colorider View Post
    Phobias are for irrational fears. Fear of junk ripping badgers is perfectly rational. Those things are nasty.

  18. #18
    phony collective progress x136's Avatar
    Join Date
    Sep 2006
    Location
    San Hoosey
    My Bikes
    http://velospace.org/user/36663
    Posts
    2,983
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jsharr View Post
    You failed anatomy didn't you?
    Tell someone you're about to bust their kneecaps. What's the first thing they do? Try to protect their kneecaps... with their hands.

  19. #19
    Gears? CliftonGK1's Avatar
    Join Date
    Jul 2006
    Location
    Philadelphia, PA
    My Bikes
    '08 Surly Cross-Check, 2011 Redline Conquest Pro, 2012 Spesh FSR Comp EVO, 2009 Spesh Singlecross
    Posts
    11,348
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by x136 View Post
    Tell someone you're about to bust their kneecaps. What's the first thing they do? Try to protect their kneecaps... with their hands.
    Not if you tie their hands behind the chair first.


    ... amateurs.
    "I feel like my world was classier before I found cyclocross."
    - Mandi M.

  20. #20
    phony collective progress x136's Avatar
    Join Date
    Sep 2006
    Location
    San Hoosey
    My Bikes
    http://velospace.org/user/36663
    Posts
    2,983
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CliftonGK1 View Post
    Not if you tie their hands behind the chair first.


    ... amateurs.
    That just makes more work when you want to also break their fingers. Why not let their reflexes help you out?

  21. #21
    Senior Member DannoXYZ's Avatar
    Join Date
    Jul 2005
    Location
    Saratoga, CA
    Posts
    11,507
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You guys ever seen a knee bent backwards in reverse???

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •