Corporate Computer monitoring detection
December 11, 2006 5:47 AM Subscribe
How do I figure out what user/usage monitoring software is running on my work laptop?
Laptop runs Windows XP Professional. I want to know if it's recording/transmitting my activity, especially what web sites I'm looking at, but also anything else.
I have unrestricted Local Administrator privileges on it, and can take it home, so I can read/write the registry, run performance monitors, install software, or even potentially hook it to a sniffer.
Related question: it runs startup scripts on boot-up into Windows; where are those stored, and how can I read them?
Laptop runs Windows XP Professional. I want to know if it's recording/transmitting my activity, especially what web sites I'm looking at, but also anything else.
I have unrestricted Local Administrator privileges on it, and can take it home, so I can read/write the registry, run performance monitors, install software, or even potentially hook it to a sniffer.
Related question: it runs startup scripts on boot-up into Windows; where are those stored, and how can I read them?
Hell, you can look at the Task Manager process list and google the executable names. That said, if you have full privs on it, I doubt they put anything on there. If you're worried, reinstall windows.
posted by cellphone at 6:00 AM on December 11, 2006
posted by cellphone at 6:00 AM on December 11, 2006
Or if you're worried and don't want them to know you checked it out, run a Linux live cd like knoppix or ubuntu.
posted by thilmony at 6:14 AM on December 11, 2006
posted by thilmony at 6:14 AM on December 11, 2006
Run Procmon for awhile and watch what comes up. Since you can't be online all the time anything they're running would have to be storing captured data locally, so chances are this will catch the process in question and also the file it's writing to so you can see what they're capturing.
posted by saraswati at 6:32 AM on December 11, 2006
posted by saraswati at 6:32 AM on December 11, 2006
cellphone writes "If you're worried, reinstall windows."
Be careful with this, you may not (probably don't) have access to all the software the company installs. And if your company runs a domain there is a good chance you won't be able to join it to the domain.
posted by Mitheral at 6:57 AM on December 11, 2006
Be careful with this, you may not (probably don't) have access to all the software the company installs. And if your company runs a domain there is a good chance you won't be able to join it to the domain.
posted by Mitheral at 6:57 AM on December 11, 2006
Check your list of All Programs to see if there is anything called "Timbuktu Pro."
posted by mattbucher at 7:59 AM on December 11, 2006
posted by mattbucher at 7:59 AM on December 11, 2006
A good one would be hidden from the Task Manager list, and even better might be hidden in an existing task. Any files written would also likely be hidden, perhaps even on a separate partition on the hard drive, and the results would be encrypted sufficiently so as to not be recognizable to someone examining the hard drive. Monitoring disc and file access would seem to be the best bet. I think procmon should do this, or filemon and diskmon.
posted by caddis at 8:31 AM on December 11, 2006
posted by caddis at 8:31 AM on December 11, 2006
You may be missing the bigger picture. Where I work, we monitor all web traffic for all users and we don't put any software on the workstations to do it.
No, we can't see where you go when you're on your home network, but if you are in our facility, or on our VPN, we see everything. We also capture all your mail and archive it.
If you reinstall windows, we will laugh at you when you can't get back into the domain. If you mess with our logon scripts, we'll know, and we will automatically fix them the nex time you touch the home network. If you disable one of our updaters or patchers and end up bringing a virus into our network, we'll know it was you and will publically shame you for it.
We work hard to do this, because it only take one of you calling in for support from South Africa or Mongolia to really derail our day. The more standardization on our fleet, the more machines we can support.
The bottom line is that this machine and all the data on it belong to your employer. And IT departments are clever and vengeful. If you're looking for privacy, get your own laptop.
posted by Area Control at 1:21 PM on December 11, 2006
No, we can't see where you go when you're on your home network, but if you are in our facility, or on our VPN, we see everything. We also capture all your mail and archive it.
If you reinstall windows, we will laugh at you when you can't get back into the domain. If you mess with our logon scripts, we'll know, and we will automatically fix them the nex time you touch the home network. If you disable one of our updaters or patchers and end up bringing a virus into our network, we'll know it was you and will publically shame you for it.
We work hard to do this, because it only take one of you calling in for support from South Africa or Mongolia to really derail our day. The more standardization on our fleet, the more machines we can support.
The bottom line is that this machine and all the data on it belong to your employer. And IT departments are clever and vengeful. If you're looking for privacy, get your own laptop.
posted by Area Control at 1:21 PM on December 11, 2006
The bottom line is that this machine and all the data on it belong to your employer.
Fine, but the poster said "web sites I'm looking at" and I don't know how you define ownership, but just because you look at Metafilter from your work computer does not mean your employer "owns" Metafilter and all data associated therewith. You don't put any software on the workstations but does the company use some kind of web-blocker to restrict web access to pr0n and gambling?
And IT departments are clever and vengeful.
Among other things.
posted by mattbucher at 2:10 PM on December 11, 2006
Fine, but the poster said "web sites I'm looking at" and I don't know how you define ownership, but just because you look at Metafilter from your work computer does not mean your employer "owns" Metafilter and all data associated therewith. You don't put any software on the workstations but does the company use some kind of web-blocker to restrict web access to pr0n and gambling?
And IT departments are clever and vengeful.
Among other things.
posted by mattbucher at 2:10 PM on December 11, 2006
Not all IT departments are vengeful. Area Control is correct, in a domain environment with competent staff very little is required on the workstation to gather the data that you're asking about. Most of the time, login scripts simply setup the environment on the workstation (map drives, printers etc.), ensure that patches are deployed (well, WSUS handles this a lot better now), possibly log a logon event for that workstation (from a support perspective, you'd be surprised how often that information comes in handy. Not to mention the fact that, in the event that there is a security concern involving the authorities, it is the first bit of data they request), or audit software licensing for our compliance officers.
In all likelihood, any software that is actively running on the workstation that might fall into the big brother category is strictly for deployment or protection purposes. So, look for Altiris, Symantec Ghost program folders in C:\Program Files\. Actually, a cursory glance through the Program Files folder or in the registry at HKLM\Software\ and Google queries on any unknown folders or keys will probably give you a good idea on what's running.
In all honesty though, your absolute best bet? Ask the people responsible for deploying and supporting your workstation. Every environment is different, however, we have a mandate to inform all interested parties of each piece of software installed on our workstations. We publish a list each year (our standard image document) and hold information sessions detailing each of the software packages installed and/or possibly explain or train staff on their uses.
If you want to email me a list of either the running processes or any questionable folders/keys I'd be more than happy to try to identify them for you.
posted by purephase at 4:26 PM on December 11, 2006
In all likelihood, any software that is actively running on the workstation that might fall into the big brother category is strictly for deployment or protection purposes. So, look for Altiris, Symantec Ghost program folders in C:\Program Files\. Actually, a cursory glance through the Program Files folder or in the registry at HKLM\Software\ and Google queries on any unknown folders or keys will probably give you a good idea on what's running.
In all honesty though, your absolute best bet? Ask the people responsible for deploying and supporting your workstation. Every environment is different, however, we have a mandate to inform all interested parties of each piece of software installed on our workstations. We publish a list each year (our standard image document) and hold information sessions detailing each of the software packages installed and/or possibly explain or train staff on their uses.
If you want to email me a list of either the running processes or any questionable folders/keys I'd be more than happy to try to identify them for you.
posted by purephase at 4:26 PM on December 11, 2006
Seriously, the chances of them having offline monitoring software that captures keystrokes of websites visited is small. That is usually reserved for someone already identified as a potential problem. If they did though, it could be very difficult to spot, even for a computer guy like you. Partly that is just information overload. Windows has so many things going, and most corporate environments add a ton more that sorting out what they all are up to as they run or access your drives is quite a challenge. I think purephase has the best advice, just ask a sys admin. They will probably tell you, unless of course, they only install this software for select suspicious employees and you are one of them.
posted by caddis at 5:07 PM on December 11, 2006
posted by caddis at 5:07 PM on December 11, 2006
I'm not gonna bother linking you to all the other questions just like this one on Ask.Mefi, but it seems to suffice to say that you really didn't look around before posting.
I'm going to give in and say here what I say every time this question comes up, because I like saying it.
You're at work. The computer doesn't belong to you. Always, ALWAYS assume you're being watched. That's it.
If not via keylogging, then via screenshotting, or neighbor peeking, or cameras, or innumerable other possibilities. You're being paid to use someone else's computer. If they're not watching you, then they're stupid or negiligent or (most likely) both.
When you're at home working/playing/whatevering on your own PC, that's obviously different.
But when you're at work, you'd better act like you're being watched.
Even if you weren't being watched: Would you really want to work for a company this dumb?
posted by SlyBevel at 10:35 PM on December 11, 2006
I'm going to give in and say here what I say every time this question comes up, because I like saying it.
You're at work. The computer doesn't belong to you. Always, ALWAYS assume you're being watched. That's it.
If not via keylogging, then via screenshotting, or neighbor peeking, or cameras, or innumerable other possibilities. You're being paid to use someone else's computer. If they're not watching you, then they're stupid or negiligent or (most likely) both.
When you're at home working/playing/whatevering on your own PC, that's obviously different.
But when you're at work, you'd better act like you're being watched.
Even if you weren't being watched: Would you really want to work for a company this dumb?
posted by SlyBevel at 10:35 PM on December 11, 2006
Don't take it personally, though. In a lot of situations, the IT department is required by some arcane Sarbanes-Oxley rule to keep track of you and your traffic on the corporate network. We don't get mad because people figure out ways to weasel porn through the filters, or to stream radio stations to their desktops... We get mad because we really do our best to let them know that we watch, we are required to watch, and no there's no privacy. And yet you'd still be surprised what people are willing to expose on a corporate network.
posted by Area Control at 5:22 PM on December 12, 2006
posted by Area Control at 5:22 PM on December 12, 2006
If they're not watching you, then they're stupid or negiligent or (most likely) both.
If they are monitoring your every move offline, keystroke, web access, page screeens, etc. then they are stupid, negligent and wasting company resources, unless, of course, you have some sort of bad history. Point being, those IT folks who find it necessary to watch every move offline are padding their own accounts. Smart IT VPs fire them.
posted by caddis at 7:04 PM on December 12, 2006
If they are monitoring your every move offline, keystroke, web access, page screeens, etc. then they are stupid, negligent and wasting company resources, unless, of course, you have some sort of bad history. Point being, those IT folks who find it necessary to watch every move offline are padding their own accounts. Smart IT VPs fire them.
posted by caddis at 7:04 PM on December 12, 2006
The "don't care" comment really hit the nail on the head. If you're happy with your laptop, and it's working okay, and you're not abusing bandwidth, then no one cares. But please use your own machine for the really kinky stuff.
posted by Area Control at 5:21 PM on December 13, 2006
posted by Area Control at 5:21 PM on December 13, 2006
This thread is closed to new comments.
posted by grouse at 5:59 AM on December 11, 2006