Monitor a user’s every move

I admit I’ve looked through Web logs to see which users on my company’s network hit illicit Web sites and which spend hours surfing instead of working. And, yes, as a network administrator, I’ve also used data-packet–capture tools for troubleshooting.

However, some administrators might find more detailed user-activity reports desirable, especially if they suspect illegal conduct on the business’s computer systems. WinWhatWhere’s WinWhatWhere Investigator 3.0 is more than a Web log. The product captures data from Windows 2000, Windows NT, Windows Millennium Edition (Windows Me), and Windows 9x machines. WinWhatWhere Investigator records much more than the URLs that your network’s users access and how long they spend at each site; it also captures information about user actions, such as opening and closing windows and making keystrokes in any applications running on monitored computers. You can monitor machines locally, with independent databases, or you can configure monitored machines on your network to store data on the same path, thus creating a centralized WinWhatWhere Investigator database. You can also configure machines not on your network to email captured data to the administrator, who can easily incorporate the emailed information into the database. Administrators can use the product’s Investigator Reports component to view this database. Investigator Reports uses SQL queries to filter, sort, and report data from the database.

Being an information aficionado, I had no trouble transforming from a network administrator to a private investigator. I installed the product on my Win2K Professional machine. By default, WinWhatWhere Investigator installs and records data to the \winnt\system32\oble path. This inconspicuous path might thwart anyone in search of the program’s location.

After the installation, an Investigator Setup icon and an Investigator Reports icon appeared on my desktop. I used Investigator Setup to configure the program’s parameters—such as Show splash screen, Start with Windows, and Monitor Keystrokes—for a monitored machine. I ran Investigator Setup and selected configurations suitable for testing the product’s local monitoring functions. For example, I configured WinWhatWhere Investigator to display an icon in the system tray. This handy icon turns green to show the product is turned on; each captured keystroke animates the icon. A red icon shows the product is turned off. (You can configure the product to turn on at specific times and capture data from specific programs.) I configured the product to capture data at all times from every application on the computer.

After I saved my configurations, I transformed from investigator to perpetrator. I surfed to illicit Web sites, composed fictitious slanderous email about my boss, and slipped imaginary company secrets into a short note that I typed using Helios Software Solutions’ TextPad. Switching back to my detective persona, I clicked the product’s system-tray icon and opened Investigator Reports to view the captured data.

Investigator Reports’s well-designed main screen showed everything I’d done on my computer after I’d configured the product. Not only did this report show that I’d surfed to but also how much time I’d spent there. As Figure 1 shows, Investigator Reports can identify the application users open and close, URLs they visit, time they spent at each location, and keystrokes they make, presented in both Raw and Formatted form. (Raw text includes additional characters such as <SHIFT> and <BACK>.) Investigator Reports also reports the username, workstation name, number of keystrokes, date, and start time. You can use this information to report employee productivity or lack thereof.

WinWhatWhere Investigator initially captures data to a temp file. Therefore, I often needed to refresh the database to which the product finally commits data.

I viewed the lock file zw84.ldb while the product was running and discovered that the product’s database platform is Microsoft Access. To enable users’ machines to send data to a centralized database, the WinWhatWhere Investigator database requires that the Everyone groups has Full Control. Therefore, anyone who knows where the .dat database file is can use Access to read the product’s data, and you need to take special care to secure the database file.

WinWhatWhere offers a free downloadable tool for building customized mass deployments. I prepared a mass installation but didn’t deploy (I had only one computer license). When you perform a remote installation, as most administrators will, you can select a deployment option to display a default or custom banner on the monitored computer. This banner informs users that you’re gathering information about their computer usage.

Making users aware that you’re monitoring everything they do on their computers might be enough to deter unwanted behavior. However, stealthy deployment is an important option for any snoopware application. If secrecy is paramount, you can select the Display nothing during installation deployment option. This option also restarts Windows after the remote installation so that the product can begin capturing data when the user logs on again.

If you can’t configure a machine to send data to a centralized database (e.g., when you’re monitoring computers that aren’t on your network), you configure the product to email information to you. WinWhatWhere Investigator only emails information when an Internet connection is established. The product emails data at intervals you specify. You receive an email containing information such as the time, the username, the monitored machine name and IP address, as well as an attachment. When you open the attachment, the product updates the database with captured information. You can then view the data from Investigator Reports.

The type of information WinWhatWhere Investigator captures gives the product potential for misuse. One of my first questions about the product was whether it would capture passwords. To answer my own question, I tested several actions that prompted me for passwords (e.g., I mapped a drive to a network share). The product successfully captured every password in every test. I also accessed my checking account online, and WinWhatWhere Investigator captured my online banking credentials.

My next question was whether Investigator could run as a service and capture initial Windows logon information. The documentation didn’t include instructions for running the product as a Win2K service or an NT service, so I tried to use the Microsoft Windows 2000 Professional Resource Kit’s srvinstw.exe utility to create a WinWhatWhere Investigator service. I made several attempts, but the service failed to start.

I queried WinWhatWhere and learned that the product currently can’t run as a service, although the vendor told me that future releases will offer that ability. I also learned that although the product starts when Windows starts, the program doesn’t interface with the startups of other Win9x applications (e.g., virus detectors, backup agents) because it doesn’t begin capturing data until after the logon sequence finishes. (Product startup isn’t a problem in Win2K or NT.)

WinWhatWhere Investigator surprised me with features that show admirable forethought about how administrators and investigators would use the application. The product includes useful database-maintenance functions. For example, because the product collects so much data, WinWhatWhere Investigator provides multiple options for deleting old records from the database (e.g., you can delete records by user or from before a certain date). Investigator Reports also shows each report’s SQL query, as Figure 1 shows. Plentiful querying options narrow the data in the report. However, before I realized that Investigator Reports defaults at every setup to the last session’s query, I spent several minutes trying to figure out why the product had stopped capturing data. In fact, the product hadn’t stopped; my filter was simply set to a previous query.

WinWhatWhere Investigator lacks features that similar products offer. For example, Idigital Technologies’ Key Thief captures screen shots at defined intervals and encrypts the database file. Other products won’t capture passwords, and other applications can run as services. But because these types of products share similar core functionality and fall in competitive price ranges, choosing the product that’s right for your company will often come down to individual needs. For example, if you want to use the product as a deterrent of unwanted behavior, you might want to use WinWhatWhere Investigator for its ability to inform users that they’re being watched. If you want to deploy the product across a large network and simultaneously monitor multiple workstations on a centralized database, the product would also be attractive.

Like any snoopware application, WinWhatWhere Investigator has potential for misuse: Capturing usernames and passwords is a risky practice. The product also has potential for security breaches: unauthorized users can access the product’s database too easily. Overall, WinWhatWhere Investigator lives up to its claims: It deploys easily, and administrators can quickly access the centrally stored data. From one private investigator to another, I recommend the product. Now, back to my network.

WinWhatWhere Investigator 3.0
Contact: WinWhatWhere * 509-585-9293
Price: 1 to 9 licenses, $99 each; 10 to 19 licenses, $49.50 each;
20 to 49 licenses, $45 each; 50 to 99 licenses, $36 each
Decision Summary:
Pros: Deploys easily; provides a well-designed and customizable reporting tool; captures data for multiple users on a centralized database; includes useful database maintenance functions
Cons: Can’t capture screen shots; doesn’t run as a service; could be misused to capture user-account information; the product’s platform for centralizing the database introduces security vulnerabilities