Logon Monitor can record user logons, user logoffs, service startups, and service shutdowns. It designed for a corporate LAN environment, or any other Windows environment where user logon activity needs to be monitored network-wide.

• Reports logon, logoff, service startup, and service shutdown events to both local logs (optional) and central server
• Central server (normally the PDC) can track both its own events and events that occur on other machines
• Runs as an invisible system service on all versions of Windows
• Control panel applet may be deleted to keep users from changing settings
• Machines that cannot connect to the central server queue their events and report them the next time they can reach the PDC
• NT-class machines may be installed, upgraded, or removed remotely -- no need for administrators to visit every machine
• Optional INI file holds defaults used during installation to make network-wide rollouts easier
• NT-class machines restrict access to logs, queues, and registry settings to administrators
• Same executable program for all Windows platforms; automatically configures itself for client or server functions
• Low memory and network usage; will not interfere with other programs or slow down the machine

Here is a sample text log file, with debugging enabled so all events and activities are recorded:

The program will automatically determine your system type and install itself correctly. After you download the zip file, unzip the contents to a temporary directory on your machine (or a shared network directory), then double-click setup.exe and click the Install button. Note: Some of our products are distributed as self-extracting zip files. You may either just double-click the distribution file, or rename it to .zip and unzip it.

If Logon Monitor is already installed, the Install button will not be present. Instead, setup will present an Upgrade button. If older versions of any of the distribution files already exist on your machine, the program will upgrade them automatically when you select Upgrade. In some cases, it may be necessary for you to reboot your machine to complete installation or an upgrade. If so, you will be prompted to restart.

Logon Monitor installs to the system directory. On Windows 95/98/ME, this is usually C:\Windows\system. On later versions, it is usually C:\Windows\system32 or C:\WINNT\system32.

Removal
Run setup.exe again, and click the Remove button on the setup dialog. You may also run logonmon.exe /remove from the system directory. The Remove button will only be enabled if setup determines that the service is already installed.

Upgrading
To upgrade to a new version, download and unzip the new version to a temporary directory. Double-click the new setup.exe and click the Upgrade button. The Upgrade button will only be visible if setup determines that an older version of the service is already installed. Otherwise, only the Install and Remove buttons will be shown.

Note: This program may be distributed as a self-extracting zip. If so, it will be named .exe instead of .zip. You may rename it to .zip if you want to extract the files manually. Otherwise, run the file you downloaded, and it will extract the files to a temporary directory and run setup.exe for you.

Command-line Options
Although not generally needed, you may specify the following command-line options when running setup.exe or logonmon.exe. You may use a dash or a forward slash before the option. Slashes are shown below for clarity. Options may also be specified by just the first letter.

• logonmon.exe /version or setup.exe /version -- displays the program's version and copyright information.
• setup.exe /install -- forces installation.
• logonmon.exe /remove or setup.exe /remove-- forces removal.
• logonmon.exe /foreground -- runs the program in the foreground. (Not available on Win9x)
• setup.exe /upgrade -- upgrade to newer version without removing and reinstalling. (Not available on Win9x)

To assist with automated installations, the program also supports the /quiet command-line switch. You may use the /quiet switch in conjunction with /remove, /install, or /upgrade. When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered; otherwise, the program performs the requested function and exits immediately. This feature makes it easy to handle installations or upgrades network-wide with a simple batch file.

Administrative Options and Remote Installation

• Remote Install or Removal
  The setup program, setup.exe allows you to specify parameters on the command line for remote installation or removal:

      setup [ -install | -remove | -upgrade | -quiet ] [\\targetmachine]
          

  Examples
  

  • setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
  • setup -remove \\barney would remove the service from the machine \\barney
  • setup -install -quiet would install the service onto the local machine without any prompts
  • setup -remove -quiet would remove the service from the local machine without any prompts

  Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples using \\fred and \\barney), both the machine you are working on and the target machine must be logged on under an account that has administrative privileges on the target machine. You cannot remotely install to or remove from Windows 95/98/ME machines.

If you are installing to multiple machines, you may wish to edit the logonmon.ini template file to pre-configure systems as they are installed. See the Notes section below for details.

By default, the PDC of the domain will listen for event reports from other machines on the network. All events are always reported, but the control panel on the PDC controls which events are echoed to the various logs on the PDC. For example, if you have the PDC set to only record logon events, then only logon events will be recorded in the PDC's logs. Note that client machines may or may not have their own individual logs enabled, and the events recorded on client machines do not have to match the events recorded on the PDC.

After installation, the Logon Monitor applet will appear in the Control Panel. On NT-class machines, only administrators or those with rights to the administer their machines will be able to modify the settings. However, if you wish, you may delete the logonmon.cpl file from your System32 directory to prevent the applet from appearing.

The logonmon.ini file holds default values used during installation. If the file is present in the setup directory, the values in the file will be used. If it is not present, Logon Monitor will use its built-in defaults. After installation, the ini file is not used, and may be deleted. Values are transferred to the registry (see below) during installation.

The logonmon.ini also explains each of the values and options. The keywords in the ini file match the keywords in the registry, so you may use the ini file as a reference. You may use Registry Editor or the control panel applet to change the settings after installation.

    HKEY_LOCAL_MACHINE
        Software
            Greyware
                Greyware Logon Monitor
                    Parameters

Listening Port
The Logon Monitor service running as the Report Server (see the Data Collection section of the Advanced Settings page) listens on port TCP 1017. If you want to use a different port, you must enter a value in the SERVICES file on each machine running Logon Monitor called logonmon/tcp that species the port number you want. For this change to take effect, the machines must be restarted.

The control panel applet has an Advanced button. On the Advanced Settings page, you may override the default client-server behavior of the program. By default, only the PDC listens for events, and all clients send their events to the PDC. You may have any NT-class machine listen instead of (or in addition to) the PDC, and you may tell clients to send their reports to a non-PDC machine by specifying the IP address, NetBIOS name, or fully-qualified DNS name of the server.