Joseph Michael Pesch
VP Programming

C# Windows Service to Log User Unlocking/Locking Computer

by 20. June 2013 08:09

Windows event logs will typically capture user login/logout activity; however, it does not capture user unlocking/locking their computer (which quite often is the more frequent activity).  This C# code will run as a Windows service and add Information entries into the Windows Application log accessible via the system Event Viewer.  Currently the code currently has an error in implementing "System.Security.Principal.WindowsIdentity.GetCurrent().Name" as an attempt to log the user name performing the activity; however, that is actually simply logging the user name that the Windows service is running as.  In a future update I plan to fix this issue and add the actual user name to the log entry.

 UserLockUnlockProfiler.zipx (41.86 kb)

Links regarding service interacting with user desktop:

https://stackoverflow.com/questions/5200341/capture-screen-on-server-desktop-session/12851218#12851218

https://stackoverflow.com/questions/5200341/capture-screen-on-server-desktop-session/12851218#12851218

Main Service Code:

using System;
using System.Diagnostics;
using System.Management;
using System.ServiceProcess;

namespace ULUPSvc
{
    public partial class ULUPSvc : ServiceBase
    {
        public ULUPSvc()
        {
            InitializeComponent();
            this.CanHandleSessionChangeEvent = true;
        }

        public void LogEvent(string msg)
        {
            msg += " " + DateTime.Now.ToString();
            ManagementScope ms = new ManagementScope("\\\\.\\root\\cimv2");
            ObjectQuery query = new ObjectQuery("SELECT * FROM Win32_ComputerSystem");
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(ms, query);
            foreach (ManagementObject mo in searcher.Get())
            {
                msg += " (" + mo["UserName"].ToString() + ")";
            }
            EventLog eventLog = new EventLog();
            eventLog.Log = "Application";
            eventLog.Source = "ULUPSvc";
            eventLog.WriteEntry(msg, EventLogEntryType.Information);
        }

        protected override void OnSessionChange(SessionChangeDescription changeDescription)
        {
            switch (changeDescription.Reason)
            {
                case SessionChangeReason.SessionLogon:
                    LogEvent("Logon");
                    break;
                case SessionChangeReason.SessionLogoff:
                    LogEvent("Logoff");
                    break;
                case SessionChangeReason.SessionLock:
                    LogEvent("Lock");
                    break;
                case SessionChangeReason.SessionUnlock:
                    LogEvent("Unlock");
                    break;
            }
            base.OnSessionChange(changeDescription);
        }

        protected override void OnStart(string[] args)
        {
            // Make sure we have our application in the event log.
            if (!EventLog.SourceExists("ULUPSvc"))
                EventLog.CreateEventSource("ULUPSvc", "Application");
        }

        protected override void OnStop()
        {
            LogEvent("Stopping");
        }

    }

}

Tags:

C#

Comments are closed