locked
Event Viewer - Employees Stealing Memory RRS feed

  • Question

  • Does anyone know if Event Viewer can be setup to log hardware changes. I want Event Viewer to log hardware changes on our Windows platforms. The "Application" log is the only log that contains entries when memory has been taken out of a PC.

     

    The "Application" log writes a "Event ID: 1024 - Hardware has changed" entry. The "Application log does not log "specifically" what hardware has changed, but at least it logs a hardware change.

     

    I would think the "System" log would document and contain data on this sort of thing. The system log sits there and acts like nothing happened, and could care a less if memory has been taken from a PC.

     

    Does anyone have a better solution? If these PC's had a majority of "gold" or "copper" parts in them that could be sold underground, I bet Microsoft would start having the "System" log write all kinds of entries of the date and time pieces were taken from a PC.

     

    I want the following specific log entries written to the Event Viewer:

     

    What piece of hardware was "specifically" taken from the PC and at what date and time. This will allow me to narrow which employees were "on the clock" during the time the memory was taken.

     

    I know, I know...I'm going to get some replies telling me I should just install a surveillance system.

     

    Thanks, Niatross

    Friday, August 15, 2008 4:09 PM

Answers

  • Hi,

    I have failed to notice any other agents that report exactly what hardware has been removed. I have searched around and have seen a few third-party products that monitor and report hardware changes. But are you sure this the way to go?

    If surveillance is too expensive, maybe you want to try installing computer cages? Or maybe hiring new people? Smile

    Tuesday, August 19, 2008 5:39 PM

All replies

  • Hi,

    I have failed to notice any other agents that report exactly what hardware has been removed. I have searched around and have seen a few third-party products that monitor and report hardware changes. But are you sure this the way to go?

    If surveillance is too expensive, maybe you want to try installing computer cages? Or maybe hiring new people? Smile

    Tuesday, August 19, 2008 5:39 PM
  • 1 - Nice login name. Did it take you a long time to come up with it?

     

    2 - Are you using hardware that supports Chassis intrustion detection? You don't say if the sensor is even connected to the motherboard.

     

    3 - Is chassis intrusion enabled in BIOS?

     

    4 - If it is, is BIOS Set with a password that only the boss knows so the user can't clear the intrusion and continue to use the system?

     

    5 - Are you using network management tools to check the logs on the server or on the individual workstations?

     

    6 - Are you checking the proper logs? Chassis intrusion is logged. It may not be as detailed as it should be, but it's been available for over a decade...

     

    7 - Why "should" an event log care what hardware is changed or removed? a Log file writes entries that it it told to write based on group policies in effect. It makes no determinations itself on what is allowed to happen and what isn't.

     

    I'd spend less time looking for Microsoft to re-write their code and more time on finding employees that don't steal from you.

     

    Tuesday, August 19, 2008 5:45 PM
  • Simple answer:  you know that little loop on the back of the case, that sticks thru the left side door?  It's for a padlock. 

    Other answer:
    One needs to (or, at least, should) shut down the system and remove power prior to removing the RAM.  A quick look at the system event logs (to find the time of shutdown & startup) should help you out with the timeframes.

    Thursday, August 21, 2008 4:06 AM