Hello, "adontz"
>
> Ну давай думать 
>
> ИДИОТКИЕ СПОСОБЫ:
>
> Тебе нужен log on/log off.
> 1) приложение в автозапуске всех пользователей
> 2) переписывание GINA DLL (функции wlx***)
>
> Тебе нужен запуск процесса.
> Если речь идёт о логе действий пользователя, то перехвата CreateProcess/ShellExecure будет достаточно.
> Можно так же перехватывать все открытия/закрытия файла (см FileMon на www.sysinternals.com). Это ИМХО более надёжно.
>
А может простейший WMI скрипт?
The code example in this section runs a script when a process that is running Microsoft Word ends.
To use the code example
1.. Create the c:\asec2.vbs, and then copy the script in this section into it.
2.. Copy the MOF list into a text file and save it with a .mof extension.
3.. In a command window, compile the MOF file by using the following command:
Mofcomp filename.mof
4.. Open a WinWord process, wait more than 5 seconds, close it, and then look in C:\ directory where there should be a file named ASEC.log that contains content similar to the following:
Time: 12/31/2002 2:56:33 PM; Entry made by: ASEC Application closed. UserModeTime: 1562500; KernelModeTime: 3125000 [hundreds of nanoseconds]
Dim objFS, objFile
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objFile = objFS.OpenTextFile("C:\ASEC2.log", 8, true)
objFile.WriteLine "Time: " & Now & "; Entry made by: ASEC2"
'Note the usage of TargetEvent object. It is an __InstanceDeletionEvent instance
' so it has a property named TargetInstance, which is a Win32_Process instance
' used to fire the event. Win32_Process class has two properties called "UserModeTime" and
' "KernelModeTime" and this is to put in the log file created by the script.
objFile.WriteLine "Application closed. UserModeTime: " & TargetEvent.TargetInstance.UserModeTime &_
"; KernelModeTime: " & TargetEvent.TargetInstance.KernelModeTime & " [hundreds of nanoseconds]"
objFile.Close
The code example in this section is the MOF file that calls the earlier script when an event is received.
#pragma namespace ("\\\\.\\root\\subscription")
instance of ActiveScriptEventConsumer as $Cons
{
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptFileName = "c:\\asec2.vbs";
};
instance of __EventFilter as $Filt
{
Name = "EF";
Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 5 "
"WHERE TargetInstance ISA \"Win32_Process\" "
"AND TargetInstance.Name = \"winword.exe\"";
QueryLanguage = "WQL";
EventNamespace = "root\\cimv2";
};
instance of __FilterToConsumerBinding
{
Filter = $Filt;
Consumer = $Cons;
};
Posted via RSDN NNTP Server 1.8 beta
