none
Viewing IE History of domain users RRS feed

  • Question

  • As an admin I am routinely asked to review a users browsing history.  As of IE 10 I seem to have lost this capability.

    I usually use IEHistoryView.  I have tried multiple locations mentioned in posts.  I have tried manually opening the History folders but they do not open.  No errors.  It's like I am clicking on an empty desktop location.  I have tried this remotely as well as locally.  I have tried as both domain admin and local admin.

    Using my own non-admin domain account I can open my own History folder but that is where it ends.

    Can somebody please advise me or point me to the correct post on how an admin can view the IE 10 history of a 2008 domain user on Windows 7?

    Thank you,

    Michael

    Thursday, October 3, 2013 2:47 PM

Answers

  • Using the shell:history command presents me with the "History.IE5" folder, the "Low" folder and a desktop.ini file.  Looking into the folders I end up with a conainer.dat file which I cannot seem to manually view.

    That means the local history "special folder" is not working.  E.g. you would see the same thing by just going to that directory.  So what is really happening?  E.g. is the desktop.ini file being changed to allow the History directory to be opened normally?  Something else inhibiting that?  The way it should work is that the new implementation finds the data in the right WebCache "container" and then shows it to you (e.g. as it used to format its index.dat data for us). 

    What we really need is information about what diagnostics are available for the new implementation.  Otherwise we could try guessing by looking at what ProcMon is allowed to see as a user's History is being opened.



    Robert Aldwinckle
    ---

    Thursday, October 10, 2013 10:40 PM
    Answerer

All replies

  • Hi,

    Did this issue occur in one specific computer or all domain computers?

    For Internet Explorer 10, the history stored in the following directory:

    C:\Users\user name\AppData\Local\Microsoft\Windows\History

    Note:You must be signed in as an administrator to be able view the IE history of another user.

    Also, please try to type"shell:history" in the Internet Explorer address bar to attempt to open this folder.


    Karen Hu
    TechNet Community Support

    Friday, October 4, 2013 6:27 AM
    Moderator
  • Thank for the reply Karen,

    This seems to happen on all domain machines that are Windows 7 with IE 10.

    I routinely check users browsing histories and in the past I have done this remotely while they might be logged on.  I guess I cannot do that anymore.  I was able to log onto the machine in question after the user left for the day and pull the history locally.

    I guess I should be able to run "shell:history" in a remote powershell session.  Maybe that is my workaround for the moment.

    <edit> ooops.  I guess that will not work since it needs to be typed into IE.

    Michael


    Friday, October 4, 2013 1:38 PM
  • I usually use IEHistoryView.

    It's like I am clicking on an empty desktop location.

    I imagine that tool will have to be revised to be aware of the new WebCache implementation of History.IE5.  (Why on earth it is still called that is beyond me since it is no longer implemented by index.dat but there we are.) Otherwise perhaps you could try finding the new "container" for it in a user's WebCache data file (e.g. WebCacheV01.dat), extracting that out into an index.dat for your tool to use?

    Another piece of the puzzle:

    http://social.technet.microsoft.com/Forums/ie/en-US/e427bb08-37b8-4870-b27e-6c8e7f5cdd9c/ie10-and-the-default-user-profile?forum=ieitprocurrentver 

    and

    http://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/

     (BING search for
        webcachev01.dat history container

    FYI

     


    Robert Aldwinckle
    ---

    Saturday, October 5, 2013 1:16 AM
    Answerer
  • I guess I should be able to run "shell:history" in a remote powershell session. 

    I guess that will not work since it needs to be typed into IE.

    Michael


    I doubt that IE would be the limiting factor.   E.g. the shell: prefix works from Windows Explorer Address bar and Run...  I'm not sure what "in a remote powershell session" would involve.  If it would mean that you were using the user's profile then using shell:history in that context would do what you want; otherwise it would just be a shorthand way of accessing the Shell Folders History value for the user profile you were logged in with.

     

    FYI



    Robert Aldwinckle
    ---

    Saturday, October 5, 2013 1:30 AM
    Answerer
  • I was able to log onto the machine in question as admin after hours and run the tool locally.  This provided me with what I needed.

    Using the shell:history command presents me with the "History.IE5" folder, the "Low" folder and a desktop.ini file.  Looking into the folders I end up with a conainer.dat file which I cannot seem to manually view.

    I cannot access things as the user even in a remote powershell session.(as far as I know)  Everything must be done as the domain admin.

    I guess I need to wait for the tools to be updated for remote access the the new cache method.  I'm surprised that Microsoft does not have an easy way to check on a domain users IE History.  This seems like it would be an important tool for organizations.

    I can understand wanting to privatize personal home browsing but in an organization network using organization hardware "private" wouldn't necessarily apply.

    Thursday, October 10, 2013 6:00 PM
  • Using the shell:history command presents me with the "History.IE5" folder, the "Low" folder and a desktop.ini file.  Looking into the folders I end up with a conainer.dat file which I cannot seem to manually view.

    That means the local history "special folder" is not working.  E.g. you would see the same thing by just going to that directory.  So what is really happening?  E.g. is the desktop.ini file being changed to allow the History directory to be opened normally?  Something else inhibiting that?  The way it should work is that the new implementation finds the data in the right WebCache "container" and then shows it to you (e.g. as it used to format its index.dat data for us). 

    What we really need is information about what diagnostics are available for the new implementation.  Otherwise we could try guessing by looking at what ProcMon is allowed to see as a user's History is being opened.



    Robert Aldwinckle
    ---

    Thursday, October 10, 2013 10:40 PM
    Answerer
  • We have a similar need to read a domain user's IE 10 history remotely (as admin).  Anything new on the proper way to accomplish this?
    Tuesday, November 26, 2013 3:55 PM