Innovative File Transfer and Management
_


 
 

WhoDunIt User Manual v1.200

Niwot Networks, Inc, 721 9th Ave., Longmont, CO 80501. (303) 772-8664

The WhoDunIt Suite consists of 3 programs to provide in-depth notification of who was responsible for creating/changing/deleting your files and folders. The first two programs, WhoDunItHostEnable and WhoDunItObjectEnable, are solely for the purpose of enabling the Audit functions necessary to support such in-depth notifications. The 3rd program WhoDunIt extracts the Audit information from the Security Log.

You've Got Files! Corporate and Demo versions 2.427 and greater are capable of driving WhoDunItObjectEnable to enable auditing on monitored folders and driving WhoDunIt to retrieve Audit information and include it in email change notification.

The WhoDunItHostEnable program

The WhoDunItObjectEnable program

The WhoDunIt program

The WhoDunItconf.txt configuration file

Uninstalling the WhoDunIt Program Suite

Change Notes

The WhoDunIt License Agreement



The WhoDunItHostEnable program

WhoDunItHostEnable is to be run on the machine that you are planning to audit.

WhoDunItHostEnable is to be run with Administrator privileges.

Start WhoDunItHostEnable by double-clicking on WhoDunItHostEnable.exe.



Do Host Enable: Clicking on this button will run the Host Enable function.
The process will run for a few seconds and then display a dialog box similar
to the following:



Once you see the 2 "SUCCESS:" messages, auditing is enabled.

WhoDunItHostEnable turns off simple file sharing as you would do within Windows Explorer->Tools->Folder Options->View, and enables Auditing as you would do within Local Security Policy->Audit Policy->Audit Object Access.
The current settings of Event Viewer's Security Log is also displayed. We recommend the Security Log be set to at least 2 megabytes and "Overwrite Events As Needed" You have control over these settings from within the Event Viewer->Security->Properties window.

If errors were encountered, the dialog box might look similar to the following:



The errors above are typical when WhoDunItHostEnable is run by someone
without Administrator privileges.
(error number of 5 is ERROR_ACCESS_DENIED)

Undo Host Enable: Clicking on this button will undo the Host Enable function.
The process will run for a few seconds and then display a dialog box similar
to the following:



You may manually disable auditing within Local Security Policy->Audit Policy->Audit Object Access.

Click the Done button when you are finished.

WhoDunItHostEnable will always write a log file WhoDunItHostEnable.log of operations performed in the SystemRoot directory.

Typical contents of the WhoDunItHostEnable.log file:

>>> (start of example)
WhoDunItHostEnable.exe -- Mon Oct 1 12:56:04 2007
SUCCESS: More secure file sharing enabled.
SUCCESS: Audit/Log configuration was completed successfully.

Your current Security Log properties:
Maximum log size: 16384 KB
When maximum log size reached, Overwrite events as needed

We recommend a maximum log size of at least 2 MB
and "Overwrite events as needed".
EXIT -- Mon Oct 1 12:56:06 2007
<<< (end of example)



The WhoDunItObjectEnable program

WhoDunItObjectEnable is a command line program.
You've Got Files! runs WhoDunItObjectEnable and passes it the path to a text file
describing the object to be audited. Optionally, you may also specify a logfile
for output from the program to be written to.

The program turns on Auditing for an Object, similar to the manual operation of using Windows Explorer to select a folder, then Properties->Security->Advanced->Auditing.

Running the program from the command line with no input parameters will produce this reference information:

>>> (start of example)
--== Niwot Networks, Inc. www.niwotnetworks.com Copyright 2007
--== WhoDunItObjectEnable.exe v1.200 (BuildDate: Oct 1 2007 10:03:18)
usage:
WhoDunItObjectEnable.exe inputfilename [-log logfilename]
inputfile comment line starts with #
first non-comment line of inputfile is path to object
examples of access definitions used in inputfile:
# -CLEARALL will clear all success/failure ACEs from SACL
-CLEARALL

# ADD a SUCCESSFUL_ACCESS_ACE for Delete
-SUCCESS -ADD DELETE

# ADD a SUCCESSFUL_ACCESS_ACE for Delete Subfolders and Files
-SUCCESS -ADD FILE_DELETE_CHILD

# ADD a FAILED_ACCESS_ACE for Delete
-FAILURE -ADD DELETE

# ADD a FAILED_ACCESS_ACE for Delete Subfolders and Files
-FAILURE -ADD FILE_DELETE_CHILD

Exit codes:
0 Program ran without error
1 File or path not found
2 Insufficient privileges
3 Undetermined error (see ouput/logfile for specific errors)
<<< (end of example)

The last line of output from WhoDunItObjectEnable (either to logfile or
stdout) will be "SUCCESS=1" or "SUCCESS=0" to indicate success or failure.
If failure, the next to last line will indicate "ProgramErrorReturned=X" where
X is one of the exit codes shown above.

When You've Got Files! runs the program successfully, there is no
additional output to the You've Got Files! runlog.txt file.

If You've Got Files! encounters errors when running WhoDunItObjectEnable
those errors are written to the You've Got Files! runlog.txt file.

Following is an example of error ouput written to the You've Got Files! runlog:

>>> (start of example)
WhoDunItObjectEnable.exe v1.200 AT Mon Oct 1 12:11:06 2007
INPUTFILE=[C:\Program Files\Niwot\You've Got Files!\WhoDunItObjectEnable1.txt]
LOGFILE=[C:\Program Files\Niwot\You've Got Files!\WhoDunItOE1Log.txt]

Reading from input file: [C:\Program Files\Niwot\You've Got Files!\WhoDunItObjectEnable1.txt]
PATHNAME=[\\servername\sharename\folder]
-CLEARALL
# Ygf1DontNotifyOnAdd=-1 Ygf1DontNotifyOnChange=-1
-SUCCESS -ADD FILE_WRITE_DATA
success1failure2=1 add1clear2=1 anAccessMask=0x2
# Ygf1NotifyOnDelete=1
-SUCCESS -ADD DELETE
success1failure2=1 add1clear2=1 anAccessMask=0x10000
-SUCCESS -ADD FILE_DELETE_CHILD
success1failure2=1 add1clear2=1 anAccessMask=0x40

result=1 error=0 OpenProcessToken hToken=0x28
result=1 error=0 LookupPrivilegeValue
result=1 error=0 AdjustTokenPrivileges
result=53 GetNamedSecurityInfo (SACL_SECURITY_INFORMATION) for [\\servername\sharename\folder] pSACL=0x0
result=1 error=0 AllocateAndInitializeSid
result=0 error=53 GetFileSecurity
CloseHandle hToken=0x28
ProgramErrorReturned=3
SUCCESS=0
<<< (end of example)

If additional debugging is enabled in You've Got Files! by using the
Debug=1 flag in the ygfconf.txt configuration file, then each time
that the program is run it will log a SUCCESS message to the runlog, like:

SUCCESS ObjectEnable \\servername\sharename\folder

It is possible to use WhoDunItObjectEnable to clear all auditing that was
previously enabled. This can be accomplished from within You've Got Files!
by setting the WhoDunItObjectEnable value to "2" instead of "1". The next time
that You've Got Files! is started, it will clear all auditing for that file object.
You would use a configuration setting like this in the "ygfconf.txt" file:

Ygf1WhoDunItObjectEnable=2

If it is desired to run WhoDunItObjectEnable from the command line to clear all auditing,
then the input file that you create should have only the "-CLEARALL" command, and no
"-SUCCESS" or "-FAILURE" auditing commands as shown above.



The WhoDunIt program

WhoDunIt is a command line program.
You've Got Files! runs the program when it has determined that a file/folder notification is to be sent. The path to the notification object is passed to WhoDunIt, WhoDunIt queries the Security Log of the monitored machine and returns the relevant Security Log information.
You've Got Files! includes the returned Security Log information with the You've Got Files! email notification.

Running the program from the command line with no input parameters will produce:

>>> (start of example)
C:\Program Files\Niwot\WhoDunIt>WhoDunIt.exe
usage: WhoDunIt.exe filepath PID123.txt
 v1.200 (BuildDate: Oct 1 2007 10:03:22)
<<< (end of example)

The "PID123.txt" file is the name of the output file (use any name you wish). If you are using WhoDunIt from the command line, then this file will actually be created in a directory called "WhoDunIt" at the location where the program is run. Optionally you may append " -all" (space character before the dash) to the command when calling WhoDunIt, and more verbose Security Log information will be written to the output file. Command line users of WhoDunIt are responsible for deleting/managing the output files created.


The WhoDunItconf.txt configuration file

The WhoDunIt configuration file is named WhoDunItconf.txt and is found in the WhoDunIt installation directory.

Entries in the configuration file are defined as key/value pairs:

Key=Value

All keys follow the convention of each word having the first letter capitalized, and the remaining letters in lower case. The value may be anything, a number or a text string, etc. Following is an example of a valid key/value pair:

SerialNumber=ABCD1234

Lines in WhoDunItconf.txt which begin with the '#' character are comment lines (hence they are ignored):

# This is a comment line.

Following is an example of a valid WhoDunItconf.txt configuration file:

>>> (start of example)
# WhoDunIt
# configuration file
# Version 1.200
#
SerialNumber=CA6KV2SW9ZB
# end-of-file
<<< (end of example)

List of WhoDunItconf.txt entries:

ENTRY (case sensitive)DEFAULT
SerialNumber=Default CA6KV2SW9ZB for expiring demo

Minimum Required Configuration

1) SerialNumber
This entry defines the serial number that you must have in order for WhoDunIt to run. This serial number must be obtained from Niwot Networks Inc. The default value in WhoDunItconf.txt will allow for a 30 day demo of the program:

SerialNumber=CA6KV2SW9ZB

After the 30 day demo period, WhoDunIt will no longer run unless a valid serial number from Niwot Networks Inc. is obtained and entered into WhoDunItconf.txt.



Uninstalling the WhoDunIt Program Suite

You may uninstall WhoDunIt in one of two ways:

1.  From the Control Panel, run "Add/Remove Programs" and select WhoDunIt from the bottom of the list to remove.

OR

2.  From Start -> Programs -> Niwot -> Uninstall WhoDunIt


Change Notes
Version 1.200 -- October 2007
1. WhoDunItObjectEnable: Reduced quantity of messages written to log.
2. WhoDunIt: Reduced quantity of information reported in abbreviated ouput (no change to -all).
3. WhoDunIt: If 'Client User Name' is "-" (dash), then display 'Primary User Name' instead.

Version 1.100 -- July 2007
1. Addition of expiration messages for WhoDunit.exe and WhoDunItObjectEnable.exe.
2. Use correct permission levels when requesting data from remote servers with WhoDunIt.exe.
3. Handle -CLEARALL accurately with WhoDunItObjectEnable.exe.

Version 1.000
1. Initial release June 2007.


ELECTRONIC END USER EXPIRING LICENSE AGREEMENT (EULA)

FOR WhoDunIt (tm) WhoDunIt.exe (tm), WhoDunItHostEnable (tm), and WhoDunItObjectEnable (tm).

IMPORTANT NOTICE TO USER:

THIS IS A CONTRACT. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS OF THIS AGREEMENT.

This Niwot Networks Inc. ("Niwot") End User License Agreement (EULA) accompanies the WhoDunIt product and related explanatory materials and "online" or electronic documentation ("Software"). The term "Software" also shall include the contents of the installation package, any upgrades, modified versions or updates of the Software licensed to you by Niwot.

The Software is licensed on an expiring basis, not sold. Please read this License carefully. At the end of the license term you agree to renew your license or refrain from using the software.

Upon your acceptance of this Agreement, Niwot grants to you a non-exclusive and non-transferable expiring license to use the Software, provided that you agree to the following:

1. Use of The Software. You may install the Software on a hard disk or other storage device;
install and use The Software on a file server for use on a network for the purposes of
(i) permanent installation onto hard disks or other storage devices or (ii) use of
The Software over such network; and make backup copies of The Software.
Without prejudice to any other rights, Licensor may terminate this Agreement if Licensee
breaches any of its terms and conditions. Upon termination, Licensee shall destroy all
copies of WhoDunIt.

If you have not purchased WhoDunIt and been provided a production serial number for this
copy of The Software then this is a demo license and is licensed for 30 days from first
installation on a computer.

2. Copyright and Trademark Rights. The Software is owned by Niwot Networks and its suppliers,
and its structure, organization and code are the valuable trade secrets of Niwot Networks
and its suppliers. The Software also is protected by United States Copyright Law and
International Treaty provisions. Use of any trademark does not give you any rights of
ownership in that trademark. Therefore, you must treat The Software product like any other
copyrighted material. Except as stated above, this Agreement does not grant you any
intellectual property rights in The Software.

3. Restrictions. Except as otherwise expressly permitted in this Agreement, Licensee may not:
(i) modify or create any derivative works of WhoDunIt or documentation, including translation or
localization; (ii) decompile, disassemble, reverse engineer, or otherwise attempt to derive the
source code for WhoDunIt (except to the extent applicable laws specifically prohibit such restriction);
(iii) redistribute, encumber, sell, rent, lease, sublicense, or otherwise transfer rights to WhoDunIt;
(iv) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or
labels in WhoDunIt or (v) publish any results of benchmark tests run on WhoDunIt to a third party
without Niwot Network's prior written consent. The Software product is licensed as a single product.
Its component parts may not be separated for use on more than one computer.

4. No Warranty. The Software is being delivered to you "AS IS" and Niwot Networks makes no warranty
as to its use or performance. NIWOT NETWORKS AND ITS SUPPLIERS DO NOT AND CANNOT
WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING The Software OR
DOCUMENTATION. NIWOT NETWORKS AND ITS SUPPLIERS MAKE NO WARRANTIES,
EXPRESS OR IMPLIED, AS TO NONINFRINGEMENT OF THIRD PARTY RIGHTS,
MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE ENTIRE
RISK ARISING OUT OF USE OR PERFORMANCE OF WhoDunIt REMAINS WITH YOU.

5. Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW,
IN NO EVENT WILL LICENSOR OR ITS SUPPLIERS OR RESELLERS BE LIABLE FOR
ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT
OF THE USE OF OR INABILITY TO USE WhoDunIt, INCLUDING, WITHOUT LIMITATION,
DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR
MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF
ADVISED OF THE POSSIBILITY THEREOF, AND REGARDLESS OF THE LEGAL OR
EQUITABLE THEORY (CONTRACT, TORT OR OTHERWISE) UPON WHICH THE CLAIM IS
BASED. IN ANY CASE. LICENSOR'S ENTIRE LIABILITY UNDER ANY PROVISION OF
THIS AGREEMENT SHALL NOT EXCEED IN THE AGGREGATE THE SUM OF THE FEES
LICENSEE PAID FOR THIS LICENSE (IF ANY) AND FEES FOR WhoDunIt SUPPORT
RECEIVED BY NIWOT NETWORKS UNDER A SEPARATE SUPPORT AGREEMENT (IF ANY),
WITH THE EXCEPTION OF DEATH OR PERSONAL INJURY CAUSED BY THE NEGLIGENCE
OF LICENSOR TO THE EXTENT APPLICABLE LAW PROHIBITS THE LIMITATION OF
DAMAGES IN SUCH CASES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND
LIMITATION MAY NOT BE APPLICABLE. NIWOT NETWORKS IS NOT RESPONSIBLE FOR
ANY LIABILITY ARISING OUT OF CONTENT PROVIDED BY LICENSEE OR A THIRD PARTY
THAT IS ACCESSED THROUGH WhoDunIt AND/OR ANY MATERIAL LINKED
THROUGH SUCH CONTENT.

6. General Provisions. If any part of this Agreement is found void and unenforceable,
it will not affect the validity of the balance of the Agreement, which shall remain valid
and enforceable according to its terms. You agree that The Software will not be shipped,
transferred or exported into any country or used in any manner prohibited by the United States
Export Administration Act or any other export laws, restrictions or regulations.
This Agreement shall automatically terminate upon failure by you to comply with its
terms. This Agreement may only be modified in writing signed by an authorized officer of
Niwot Networks.

Unpublished-rights reserved under the copyright laws of the United States.

Niwot Networks, Inc, 721 9th Ave., Longmont, CO 80501.
You've Got Files!, WhoDunIt,WhoDunIt.exe, WhoDunItHostEnable, WhoDunItObjectEnable, and youvegotfiles are trademarks of Niwot Networks, Inc.


WhoDunItuserman.htm -- last update:  October 1 2007

Copyright 1995-2008, Niwot Networks, Inc. All Rights Reserved
WhoDunIt.exe, Gigabyte Express, You've Got Files!, and RELIA are trademarks of Niwot Networks, Inc.