Deputy director of security calls to his office. The task is posed: a security guard wants to see what each employee did during the day. Preferably, with an archive of several days. During the conversation, it turns out that the employee is absolutely not interested in “keyboard input”; he only needs to see what was happening on the monitor screen during working hours.
Consider the option of how we can implement it all. What do we need?
- A program that runs in hidden mode, without notifications, does not contain a code that is defined as a virus, is easy and does not interfere with the work of the user.
- Network storage at the rate of a maximum of 1 GB per user for three days.
- A server that does not perform important network roles with an unloaded network interface.
- The data obtained should be easily processed and analyzed.
We immediately refuse to record video, because:
- firstly: too much data - the 9-hour working day of the employee came out in the strictest format of about 2 GB;
- secondly: a large load - even the most inconspicuous recorder delivers visible discomfort to the user;
- thirdly: the inconvenience in analyzing the information received - rewinding hours of video, editing, when you need a report on an employee, a lot of questions, “How?”, etc.
- Fourthly: not all such programs can interact with terminal sessions or regain their working capacity after getting out of the lock \ sleep.
Thus, we come to the only option - to take screenshots. There are a huge number of programs for these purposes, but they all have a lot of flaws, namely:
- Often identified as viruses, many do not even always manage to add to the list of excluded anti-virus processes.
- Insufficient or extra functionality.
- Excessive interaction with the user's workspace (“Oh, and what's this mouse about me so twitching and the screen flashes every minute?”).
- Normal programs are only bundled with a comprehensive solution, reporter centers, and for big money.
For several months I tried a variety of programs, including paid with trial periods. And each time, during the run-in, I came across a bunch of the problems described above. I even went to the presentation of one of the promoted products, which almost measures how much coffee the employee drank during the day. Everything is not that, everything is too bulky or too crooked. It needed a simple solution, easy and effective. And then I began to look not towards ready-made solutions, but towards universal scripts.
For starters, there is a command line on every Windows computer. There is a domain, there are group policies and log-on scripts. All I have to do is start a cycle from the command line that will take screenshots of the screen and write them to a local folder. And on the server, I will create a task for the scheduler with a repetition every hour, according to which all accumulated screenshots will be taken from computers and stored in the necessary folder, which our security officer will view. The problem is that the command line doesn’t have a “make screenshot” functionality. But
nircmd has such functionality and even more.
')
The advantage is free, easy, no viral code and flexibility.
So, let's begin. First of all, we will need to run nircmd so that the end user is not aware of this. This will help us vbs:
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
Let's call it admin.vbs and add to our log-on script:
cmdow @ /HID ECHO off REM ----- PREPARE INJECTION --------------------------------------------------------------- MKDIR C:\WINDOWS\Security\Domain\ MKDIR C:\WINDOWS\Security\Domain\Log IF EXIST "C:\WINDOWS\Security\Domain\start.bat" ( DEL C:\WINDOWS\Security\Domain\start.bat DEL C:\WINDOWS\Security\Domain\finish.bat REM ----- INJECT -------------------------------------------------------------------------- copy "\\SYSVOL\Domain\scripts\monitor\inject\start.bat" "C:\WINDOWS\security\Domain\" copy "\\SYSVOL\Domain\scripts\monitor\inject\finish.bat" "C:\WINDOWS\security\Domain\" ) copy "\\SYSVOL\Domain\scripts\monitor\inject" "C:\WINDOWS\security\Domain\" ping 127.0.0.1 -n 1 -w 1000 > nul REM ----- LOG MONITOR --------------------------------------------------------------------- IF "%1"=="/login" (goto LOG-IN) IF "%1"=="/logout" (goto LOG-OUT) :LOG-IN wscript.exe "C:\WINDOWS\security\Domain\admin.vbs" "C:\WINDOWS\security\Domain\start.bat" (ECHO %DATE% %TIME% --- %COMPUTERNAME%: %USERNAME%: LOGGED IN. Processing start.bat )>>"\\DomainController\LOG\nir_journal.txt" goto EOF :LOG-OUT REM wscript.exe "C:\WINDOWS\security\Domain\admin.vbs" "C:\WINDOWS\security\Domain\finish.bat" (ECHO %DATE% %TIME% --- %COMPUTERNAME%: %USERNAME%: LOGGED OUT. Processing finish.bat )>>"\\DomainController\LOG\nir_journal.txt" goto EOF
First, we delete the old versions of our batch file, then we download new ones. And also we download nircmd.exe and admin.vbs itself. Great, and start.bat and finish.bat will now run invisibly to the user. Fill start.bat with the following content:
echo off REM 43200 = 60*24*30 = 1 month. c:\windows\Security\Domain\nircmd.exe loop 43200 60000 savescreenshot "c:\windows\Security\Domain\Log\scr~$currdate.MM_dd_yyyy$-~$currtime.HH_mm_ss$.jpg"
And on this we are done with the users. Now, on every computer where needed, the nircmd process will hang (if exe is renamed, the name of the process will also change), which, as a rule, doesn’t cause anyone’s interest. The process will take a screenshot every minute for a month and save it in c: \ windows \ Security \ Domain \ Log \. If the user does not log out of the system for a month - this is a special case, you can simply throw him out in the evening for prevention, referring to updates or go under it and run the log-on script again. The only thing we should take care of in advance is to allow the user to write to the folder:
cacls "\\%PC%\C$\windows\Security" /G %USER%:F
It is necessary to drive under the administrator for all PC \ Users in the monitoring group. But you can not bother, because there are Users \ Public folders, where they have write access to the default.
As practice has shown, nircmd works correctly only if it was started by the user (PSExec does not help, will write a black screen), and also works quite well in the terminal, there it is only necessary to separate the log folders by user names.
Now we will configure our server. We write one batch file, which will deal with the fence, and cleaning, and restoration of the storage catalogs.
@echo off setlocal ENABLEDELAYEDEXPANSION cd /de:\ IF "%1"=="/repair" (goto REPAIR) IF "%1"=="/scan" (goto SCANCOPY) IF "%1"=="/archive" (goto ARCHIVE) :SCANCOPY REM ------------- for /F "tokens=*" %%A in (e:\auto\loop.txt) do ( if %%A EQU @END_OF_LOOP ( exit /b ) else ( e:\auto\scancopy.bat /%%A ) ) goto :EOF :ARCHIVE REM ------------- attrib -H -S /S e:\roam\Thumbs.db del /F /S /Q e:\roam\Thumbs.db attrib -H -S /S e:\roam\_desktop.ini del /F /S /Q e:\roam\_desktop.ini REM ------------- , -5 forfiles -pe:\roam -m *.* -s -d -5 -c "cmd /c del /q @path" :REPAIR REM ------------- goto start :fn1 for /d %%i in ("%~1\*") do (call :fn1 "%%i" & rd /q "%%i") exit /b :start call :fn1 "e:\roam" :REPAIR_P2 REM ------------- for /F "tokens=*" %%A in (e:\auto\loop.txt) do ( if %%A EQU @END_OF_LOOP ( exit /b ) else ( MKDIR e:\roam\%%A\ ) )
Content scancopy.bat:
@ECHO off set DEST=%1 IF not EXIST "\%DEST%\ADMIN$" ( goto :EOF ) IF not EXIST "\%DEST%\ADMIN$\Security\Domain\Log" ( (ECHO WARNING --- %DATE% %TIME% --- %COMPUTERNAME%: Log folder not found! )>>"\\DomainController\LOG\nir_journal.txt" goto :EOF ) >nul 2>nul dir /ad "\%DEST%\ADMIN$\Security\Domain\Log\*" && (GOTO TRANSFER) || ( (ECHO WARNING --- %DATE% %TIME% --- %COMPUTERNAME%: Zero files in source folder! )>>"\\DomainController\LOG\nir_journal.txt" ) :TRANSFER IF NOT EXIST e:\roam%DEST%\%DATE%\ ( MKDIR e:\roam%DEST%\%DATE%\ ) robocopy \%DEST%\ADMIN$\Security\Domain\Log e:\roam%DEST%\%DATE%\ /MOV /R:0) (ECHO SERVICE --- %DATE% %TIME% --- %DEST%: Files transfer success. )>>"\\DomainController\LOG\nir_journal.txt"
Loop.txt - just a list of computers or IP-addresses, separated by a new line. At the end of the list is @END_OF_LOOP as the end of list marker.
We will create three tasks in the scheduler that will run service / scan every hour, service / repair every day and service / archive every day. That's all, our monitoring system is ready. We give the security reference to each folder in the repository (signed by surname), explain the principle of work and let it sit playing.
Now you can go and do something useful.
Briefly, the structure:
- The log-on script runs nircmd;
- nircmd takes screenshots every minute and saves it locally;
- The server once per hour drives robocopy through the PC \ IP list and takes screenshots from users;
- The manager has links to the folders in the repository and he knows that the download is once an hour, and that files older than 5 days are deleted.
The solution has been working in my office for half a year already, no problems have arisen, users do not know about it (but they guess), the security officer and the management are satisfied. The load of nircmd per cent at the most antediluvian PC in the office is 1-2%.