Skip to content

Enhance login auditing script and documentation #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Brainhub24 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Enhance login auditing script and documentation #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,23 @@
# nsa-spy

A Windows batch script that captures login context and key system details for auditing. The script writes a structured entry to `logs/login_log.txt` whenever it is executed (for example, at user logon via Task Scheduler or Group Policy).

## What it records
- Timestamp (UTC offset included) and session metadata (computer, domain, username, session name, admin status)
- Network configuration (`ipconfig /all`)
- Network adapters summary (`getmac /v`)
- Installed software from the local machine registry
- Recent system event log entries
- Logical drive information (filesystem, size, free space)

## Usage
1. Copy `access_insights.bat` to the target machine.
2. Run the script manually or configure it to run at logon:
- Task Scheduler: create a new task, trigger **At log on**, action **Start a program** pointing to the batch file.
- Group Policy: add the batch file under **User Configuration → Windows Settings → Scripts (Logon/Logoff)**.
3. Review collected entries in `logs/login_log.txt`. The script auto-rotates the log file when it exceeds 1 MB.

## Privacy and safety
- Ensure execution complies with your organization’s policies and applicable regulations.
- Run in a test environment first to confirm that required Windows commands (PowerShell, `wevtutil`, `wmic`, `getmac`) are available.
- The script does not transmit data; it only writes to the local `logs` directory.
92 changes: 75 additions & 17 deletions access_insights.bat
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,84 @@
@echo off
setlocal EnableExtensions EnableDelayedExpansion

REM Script Name: access_insights.bat
REM Version: 1.0 (initial release)
REM Version: 1.1
REM Author: Jan Gebser
REM
REM Description:
REM - This batch script logs user login details, system information, and network configuration upon each login. The script helps in tracking user sessions and system status.
REM - Logs user login details, system information, and network configuration upon each login.
REM - Adds safeguards such as log rotation, consistent timestamps, and richer context for each entry.
REM
REM Disclaimer:
REM Always ensure script execution adheres to company policies and complies with relevant security and privacy regulations.
REM Test scripts in a controlled environment before deployment. The author is not responsible for any errors or issues caused
REM by the usage of this script. In case of issues, users can open a ticket for assistance, subject to availability and
REM schedule.

REM Initial Code Snippet:
REM The initial code snippet captures basic user and system information, including IP configuration and some network details. To improve the script's functionality, additional data can be collected:
set "LOG_DIR=logs"
set "LOG_FILE=%LOG_DIR%\login_log.txt"
set "MAX_LOG_SIZE=1048576"

REM Further Ideas for Collection:
REM - Network Adapter Details: Fetch information about each network adapter, such as IP address, MAC address, and DHCP status.
REM - Installed Software: Retrieve a list of installed software for comprehensive system analysis.
REM - Recent Event Logs: Gather recent event logs to monitor system activities around login times.
REM - Drive Information: Collect data about available drives, disk space, and utilization.
call :ensure_log_directory || exit /b 1
call :set_context
call :rotate_if_needed

REM Disclaimer:
REM Always ensure script execution adheres to company policies and complies with relevant security and privacy regulations. Test scripts in a controlled environment before deployment.
REM I am not responsible for any errors or issues caused by the usage of this script. Users are encouraged to test this script in a controlled environment before deploying it in a production setting.
REM In case of issues, users can open a ticket for assistance, subject to my availability and schedule.
call :log_line "============================================================"
call :log_line "Login record: %HUMAN_TIMESTAMP%"
call :log_line "Machine: %COMPUTERNAME% | Domain: %USERDOMAIN% | User: %USERNAME%"
call :log_line "Session: %SESSIONNAME% | Admin: %IS_ADMIN%"
call :log_line "------------------------------------------------------------"

call :run_and_log "IP configuration" ipconfig /all
call :run_and_log "Network adapters (GETMAC)" getmac /v /fo list
call :run_and_log "Installed software" powershell -NoProfile -Command "Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*' | Where-Object { $_.DisplayName } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName | Format-Table -AutoSize"
call :run_and_log "Recent system event logs" wevtutil qe System /c:20 /rd:true /f:text
call :run_and_log "Drive information" wmic logicaldisk get Name, FileSystem, FreeSpace, Size, VolumeName /format:list

@echo off
echo %DATE% %TIME% - User: %USERNAME% >> login_log.txt
ipconfig /all >> login_log.txt
echo. >> login_log.txt
call :log_line ""
exit /b 0

:ensure_log_directory
if not exist "%LOG_DIR%" (
mkdir "%LOG_DIR%" 2>nul
if errorlevel 1 (
echo Failed to create log directory "%LOG_DIR%".
exit /b 1
)
)
if not exist "%LOG_FILE%" type nul > "%LOG_FILE%"
exit /b 0

:set_context
for /f "usebackq" %%i in (`powershell -NoProfile -Command "(Get-Date).ToString('yyyy-MM-dd HH:mm:ss zzz')"`) do set "HUMAN_TIMESTAMP=%%i"
for /f "usebackq" %%i in (`powershell -NoProfile -Command "(Get-Date).ToString('yyyyMMdd_HHmmss')"`) do set "FILE_TIMESTAMP=%%i"
net session >nul 2>&1
if %errorlevel%==0 (set "IS_ADMIN=Yes") else (set "IS_ADMIN=No")
exit /b 0

:rotate_if_needed
if exist "%LOG_FILE%" (
for %%A in ("%LOG_FILE%") do (
if %%~zA GTR %MAX_LOG_SIZE% (
set "ARCHIVE=%LOG_DIR%\login_log_%FILE_TIMESTAMP%.txt"
move "%LOG_FILE%" "!ARCHIVE!" >nul
type nul > "%LOG_FILE%"
call :log_line "Log rotated to !ARCHIVE! due to size > %MAX_LOG_SIZE% bytes."
)
)
)
exit /b 0

:log_line
echo %~1>> "%LOG_FILE%"
exit /b 0

:run_and_log
set "SECTION_TITLE=%~1"
shift
set "CMD=%*"
call :log_line "---- %SECTION_TITLE% ----"
!CMD! >> "%LOG_FILE%" 2>&1
if errorlevel 1 call :log_line "[warning] %SECTION_TITLE% command returned error code %ERRORLEVEL%"
call :log_line ""
exit /b 0