[Windows] Monitor user profile logon options?

Discussion in 'other software & services' started by m00nbl00d, Jul 14, 2012.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I've been looking around for a way to monitor a user account session login, in order to better understand what exactly the kind of access to the user profile filesystem and registry is. For instance, I'd like to monitor Read, Write, Delete, Modify, etc in the user profile file system and registry.

    I know that the process responsible for loading the user profile is winlogon.exe, so I could use Process Monitor and create a filter for winlogon.exe and the user account in question. It should do what I want.

    Are you familiar with any other method, though? Just wondering. :D


    :thumb:
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    ProcMon seemed to have worked pretty well. But, I only filtered the user account name, then I chose to enable boot logging, restarted and logged into the user account in question, logged off, and went back to my administrator account and opened ProcMon to finish the work.

    From what I could gather, I can make the user profile folder and HKCU read only, without any problems.

    Anyway, I can always revert the process from the admin. account. Or, just ditch the user account, as it's easy to do it. :D
     
Loading...
Thread Status:
Not open for further replies.