on Oct 5th, 2006
Audit the Start Menu
Have you ever needed to audit which icons users click on the Start Menu? It makes quite an impressive forensics report when you can say exactly who clicked what and when. Well you can do it in Windows pretty easily. First, enable auditing on all files under C:\Documents and Settings\All Users\Start Menu as well as individual user start menus. Make sure your local security policy is set to audit object access, and every time someone clicks on a Start Menu icon, it will generate an Event Log entry.
Here’s a Log Parser query you can use to build a list of clicked icons:
logparser “SELECT TimeGenerated, RESOLVE_SID(SID), EXTRACT_PREFIX(EXTRACT_FILENAME(Path), 0, ‘.lnk’) AS Item USING EXTRACT_TOKEN(Strings,2,’|') AS Path FROM Security WHERE Path LIKE’%Start Menu%.lnk’ ORDER BY TimeGenerated” -i:evt
You could also extend this to include icons on the desktop and on quick launch toolbars.
Hint: do you need to re-create Start Menu clicks on a system that didn’t have auditing enabled? Try looking at the last accessed date of each .lnk file. It’s not as accurate as the Event Log, but you’d be surprised what you can discover.
