4

I want to develop a windows forms application to monitor my network computers login, logoff and login attempts details and do something based on detection. (For example send some notification for admin)

What I have tried:

I read about windows service, Windows Task Scheduler and Event auditing using Task Scheduler But I want to do it pragmatically. So my question is How can I detect windows logon attempts programmatically using C#?

Reza Aghaei
  • 120,393
  • 18
  • 203
  • 398
Saravana Kumar
  • 81
  • 1
  • 7

1 Answers1

7

To detect logon attempts you can rely on windows security events. Here you can see a list of security events and their meanings. Common events which you may be interested in are:

4624: An account was successfully logged on.
4625: An account failed to log on.
4648: A logon was attempted using explicit credentials.
4675: SIDs were filtered.

Detect Events using an Application/Service

You can detect logon attempts yourself by code using EventLog class and handling its EntryWritten event. The code sample below just logs the event in a file to show you can be informed of event and use it. Instead of writing in a file, you can send notification by email or run an application or do something else.

To test the code you should Run as Administrator. Also in a real environment you should make it like a service or configure it to run before user login.

private void Form1_Load(object sender, EventArgs e)
{
    EventLog logListener = new EventLog("Security");
    logListener.EntryWritten += logListener_EntryWritten;
    logListener.EnableRaisingEvents = true;
}
void logListener_EntryWritten(object sender, EntryWrittenEventArgs e)
{
    //4624: An account was successfully logged on.
    //4625: An account failed to log on.
    //4648: A logon was attempted using explicit credentials.
    //4675: SIDs were filtered.
    var events = new int[] { 4624, 4625, 4648, 4675 };
    if (events.Contains(e.Entry.EventID))
        System.IO.File.AppendAllLines(@"d:\log.txt", new string[] {
            string.Format("{0}:{1}",  e.Entry.EventID, e.Entry.Message)
        });
}

Note: As also you said in the question you can use Windows Scheduled Task to do something when an Event Occurred.

You can ask the Windows to do something for you when an unsuccessful logon attempt detected, for example run an application (which sends an email or somethings else). To do so, use Windows Task Scheduler and say the task run when an specific event occurred and specify suitable event source and Id. Also to see an example of complete steps see Getting event log contents by email on an event log trigger.

Reza Aghaei
  • 120,393
  • 18
  • 203
  • 398
  • thanks for your reply. – Saravana Kumar Nov 04 '16 at 13:17
  • You're welcome. You can simply test the code, and let me know the result. It's enough to write a simple application and run it as administrator, then switch account and try to logon to another account and enter some wrong passwords. Then go to the main account and see the logs in the path which you set it to save. – Reza Aghaei Nov 04 '16 at 13:24
  • sorry for the delay reply...i am getting warning on this code and i didnt get any output file... – Saravana Kumar Nov 07 '16 at 11:53
  • The warning on: 'e.Entry.EventID' and message: "This property has been deprecated. Please use System.Diagnostics.EventLogEntry.InstanceId instead. http://go.microsoft.com/fwlink/?linkid=14202" – Saravana Kumar Nov 07 '16 at 11:53
  • You should *Run as Administrator* also you can neglect the warning for now but it's better to use the same property which is said in message. But I have received events simply using the scenario which I said in above comment. – Reza Aghaei Nov 07 '16 at 17:26
  • ya i running it as Administrator with start and ending message.It gives that start and ending message only... – Saravana Kumar Nov 07 '16 at 18:19
  • million thanks i got it but in windows 10 it return number of login ID how can i solve this – Saravana Kumar Nov 07 '16 at 19:39
  • Great! I don't have access to a windows 10 to test at the moment. – Reza Aghaei Nov 07 '16 at 19:41
  • I think it's better to ask a new question about making it working on windows 10. But pay attention to include code and what you have tried in the question to receive better response from community. While I believe your question is really good and even completely deserved some upvotes some users just closed it and downvoted because it didn't contain any code and you have said you want to send notification for admin (which is too broad). – Reza Aghaei Nov 07 '16 at 19:44
  • sir i have a small problem...this service starting before logon but its not sending mail when logon attempt occurred.It sending mail after windows logon... – Saravana Kumar Nov 21 '16 at 05:05
  • Probably it depends on the way which you send email or maybe the internet connections. You can simply write notifications in a central database and use those notifications in the central server. – Reza Aghaei Nov 21 '16 at 05:08
  • thanks for the reply sir..it sending mail sometimes before logon sometimes after logon. – Saravana Kumar Nov 21 '16 at 05:19
  • An irregular pattern when happening a problem makes hard to guess/detect the root cause of problem. Also the delay may be because of mail server. To find the problem, first try to insert a record in a remote database. If you see the record is inserted in database, then probably the problem is because of mail server/internet connection. – Reza Aghaei Nov 21 '16 at 05:25
  • i tried sir but it inserting data after logon only – Saravana Kumar Nov 21 '16 at 06:42
  • Are you sure your program is running before login? If sure, why some times it logs/sends emails before login sometimes after logon? – Reza Aghaei Nov 21 '16 at 06:49
  • I'll try the code again after I have access to my development environment. – Reza Aghaei Nov 21 '16 at 06:50
  • ya i am sure it starts before login and running as administrator.. – Saravana Kumar Nov 21 '16 at 07:02
  • I checked it again and it worked probably. May be it's a network logon problem? For example put an insert statement in `Tick` event of a timer in an application which is running before login, then check if the commands are inserting. I guess it's a network login problem. – Reza Aghaei Nov 21 '16 at 21:16
  • I will try this and tell you. – Saravana Kumar Nov 23 '16 at 05:50
  • @Reza Aghaei, Do you know if the approach you have detailed can be used to read the IP address of the client machine where the login failed. I am currently using a PowerShell script to do this but want to convert to C#. Doing some firewall IP blocking for hackers on the RD connection. I will ask a separate question if you have time to answer. – Highdown Jan 12 '18 at 00:22
  • @Highdown The program/script which is responsible to send the alert to a server is running on the client and is aware of the client IP. – Reza Aghaei Jan 12 '18 at 03:25
  • @Reza Aghaei, sorry for bothering you. This morning I realized the code was running on a client. Missed that last night. I have been trying to figure out how to do this server-side so that I can replace some PowerShell scripts that read the client's IP address for failed login attempts for Remote Desktop connection. Thanks again for taking the time to answer. Your link to the security events page is one of the things I have been searching for. Very useful... – Highdown Jan 12 '18 at 13:18