[ Go to August 1997 Table of Contents ]|
I have a confession to make. Besides being a programmer, writer, online impresario and consultant, I'm also a snoop. From time to time I work as a computer consultant to a private detective and a few law-enforcement agencies. Over the years I've worked on a wide variety of cases, including embezzlement, theft of trade secrets, hostile takeovers and marital infidelity. But as you may have guessed, all my cases have one thing in common: computers.
I'm occasionally called on to perform a "computer autopsy," examining a seized computer. Those cases usually involve breaking password security and locating evidence (sometimes deleted) on hard disks, floppy disks or tapes.
Fortunately, I don't get involved in human surveillance. Tailing a suspect can be dangerous, and a good way to get shot. My suspects are all of the electronic variety. I sneak into offices and homes when no one's around (with full permission of the owners, of course!), and install special monitoring software. This software tracks the computer's activities and records them for later analysis. After the surveillance is over, I return, recover the evidence and restore the computer to its original condition.
Most of my tricks are closely guarded trade secrets. But this month I'd like to share one, a surveillance program I call PWSnoop. It's not state of the art, but you can use it to audit or log the use of software, create records for time billing and even catch the occasional computer vandal. It's written in Visual Basic, so many of you will be able to modify the program to suit your own needs. It's available from any of WinMag's download locations (listed in the Table of Contents)
However, before we proceed, we need to have a little talk about the law.
Privacy laws vary from state to state, and even from city to city. So before starting your own surveillance, make sure you won't be breaking any laws. If in doubt, consult an attorney or local law enforcement official, especially if you suspect someone of committing a crime. You might need a search warrant in some cases, but in others simple permission from the computer's owner is sufficient. If you're staking out your own computer, you should be on safe legal ground. But remember: I'm not a lawyer. My legal advice is worth exactly what you're paying me, and not a penny more.
Now that we've got the legal niceties out of the way, let's get down to business.
PWSnoop runs on the computer it's monitoring and records the title bar text of each program run. If a title bar's text changes, PWSnoop notes that, too. Later analysis of this information usually reveals what programs have been run, and often what documents were created, viewed or edited, and even what Web sites were visited.
PWSnoop starts by opening a disk file (by default, named SNOOP.LOG). If the log file doesn't exist, PWSnoop creates it. Otherwise, it opens the old file and adds new information.
Then, like some human detectives I know, PWSnoop spends most of its time sleeping. Nevertheless, PWSnoop doesn't miss much. That's because every 5 seconds it executes a timer event handler (timSnoop_Timer). (See sidebar "A Snoop's Loop.")
Most of the work takes place in lines 2 through 6. Line 2 calls a subroutine named GetMasterList. This subroutine uses Windows' application programming interface (API) calls to obtain the title bar text of the main windows of all running applications. This subroutine is similar to the one we saw in the WinMag Task List utility (see Power Windows, September 1996). The title bar text strings are stored in an array named NewTitle.
The next line calls VB's built-in function Now to obtain the current date and time, uses VB's built-in function Format to convert the date and time into a printable string, then stores the result in a variable named LogTime. LogTime will time-stamp our log file entries so we can tell when each entry was made.
Lines 4 and 5 call LogStops and LogStarts. These subroutines write information to the log file. LogStops records any title bars that have disappeared since timSnoop_Timer was last called, and LogStarts records the text of any new title bars. They do this by comparing the array of current title bar text (NewTitle) to another array (OldTitle) that contains the title bar text found the last time timSnoop_Timer was called.
Finally, we come to line 6, which calls CopyNew2Old. This subroutine simply copies all entries in the NewTitle array to the array named OldTitle, getting OldTitle ready for the next execution of timSnoop_Timer.
PWSnoop awakens every 5 seconds to make and record an observation until PWSnoop ends, usually when Windows exits. Then it makes a final log entry and closes the log file.
What will you see in a log file? A portion of a typical file is shown in the sidebar "A PC Rap Sheet." What you'll see in your own log file depends on how much information your applications display in their window title bars. Most applications display their own name and the names of any documents they have open. So that's what PWSnoop logs. Windows and its components cooperate, too. If you're running Windows 95, you'll see log file entries for each Explorer or My Computer window opened and closed as the user browses disks. Windows 3.x users will see the title bar text of Program Manager and File Manager (though not the title bar text of individual Program Manager Group windows)
While browsing the Web, Microsoft Internet Explorer and Netscape Navigator display the title of the page being viewed. This title isn't the page's URL, but rather a descriptive phrase chosen by the page's author. It often provides enough information to tell what site is being visited and the type of information being retrieved.
A few applications, most notably Microsoft Word and Microsoft Excel, are less cooperative. They only display their own names in their main window title bars. The names of the documents being edited are displayed in subordinate Multiple Document Interface (MDI) window title bars, which PWSnoop doesn't currently capture. However, you may be surprised by what is logged while Microsoft Word and other Microsoft Office applications are running. These programs often create, then destroy, hidden windows that carry out various background tasks.
The easiest way to launch PWSnoop is to place it in your Windows 3.x StartUp group or Windows 95 StartUp folder. But this makes PWSnoop easy to detect.
To make PWSnoop less conspicuous, you can launch it by placing the full path name of its EXE file on the run= or load= line of the WIN.INI file. Even under Windows 95, programs listed there still run as soon as Windows loads. Ordinarily, you'd place programs that are to run minimized on the load= line, and programs that display a normal window on the run= line. But since PWSnoop doesn't display its window, it makes no difference which line you use.
Because of a Windows limitation, PWSnoop needs a main window, even though it's never displayed. The window exists so PWSnoop will have a "window handle," a unique number Windows needs in order to assign a timer to a program.
Its window solves one problem but creates another. PWSnoop's window is not entirely invisible. It still shows up in Windows' task list and the Alt+Tab list of running programs. You can fix these problems, but the methods are beyond the scope of this column.
Fortunately, there are good commercial alternatives to my home-brewed snooper. For serious espionage, you may want to take a look at WinWhatWhere by WinWhatWhere Corp. (509-585-9293, fax 509-585-9294)
Still, for those of us who like to do it ourselves, PWSnoop is a nice starting point. Now, if I could just remember where I put that Maltese falcon ...
Karen Kenworthy is the author of Visual Basic for Applications, Revealed! (Prima Publishing, 1994), a nonprogrammer's introduction to VBA. She is also a contributing editor to WINDOWS Magazine and manager of WINDOWS Magazine Online on America Online and CompuServe. Reach Karen care of the editor at the e-mail addresses here.
SIDEBAR: A Snoop's Loop
PWSnoop's main loop is executed every 5 seconds.
SIDEBAR: A PC Rap Sheet
7/1/97 10:52:29 AM - Logging Started
7/1/97 10:52:34 AM - Start: DOS
7/1/97 10:52:34 AM - Start: Microsoft Word
7/1/97 10:52:34 AM - Start: Untitled - Notepad
7/1/97 11:07:09 AM - Start: Microsoft Internet Explorer
7/1/97 11:07:44 AM - Stop: Microsoft Internet Explorer
7/1/97 11:07:44 AM - Start: Internet Explorer
7/1/97 11:10:49 AM - Stop: Internet Explorer
7/1/97 11:10:49 AM - Start: Welcome To Microsoft - Microsoft Internet Explorer
7/1/97 11:11:04 AM - Stop: Welcome To Microsoft - Microsoft Internet Explorer
7/1/97 11:11:04 AM - Start: Windows Magazine - Microsoft Internet Explorer
7/1/97 11:12:19 AM - Stop: Windows Magazine - Microsoft Internet Explorer
7/1/97 11:12:19 AM - Start: WINDOWS 20 Questions - Microsoft Internet Explorer
7/1/97 11:19:24 AM - Stop: WINDOWS 20 Questions - Microsoft Internet Explorer
7/1/97 11:21:49 AM - Stop: DOS
7/1/97 11:22:14 AM - Stop: Microsoft Word
7/1/97 11:32:39 AM - Start: FreeCell
7/1/97 11:32:44 AM - Stop: FreeCell
7/1/97 11:32:44 AM - Start: FreeCell Game #16742
7/1/97 11:32:44 AM - Stop: FreeCell Game #16742
7/1/97 11:35:39 AM - Logging Stopped
This typical SNOOP.LOG file shows computer activity.