Unseccessful logging, taking a picture.

Sometimese you need to know who was trying to login into your laptop running Windows.
One of the ways is take a picture using the webcam after entering the wrong user password.

Requirements

  • A somewhat recent version of Windows (Windows 7 or later)
  • A DirectShow-compatible video device (probably anything Windows recognizes as a camera, and more)
  • ffmpeg.exe (http://ffmpeg.org/)

snapshot_login_failure.bat

@echo off

:: Get date and time independent of regional settings. Source: http://stackoverflow.com/questions/203090/how-to-get-current-datetime-on-windows-command-line-in-a-suitable-format-for-us for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' set ldt=%%jset datetime=%ldt:~0,4%_%ldt:~4,2%_%ldt:~6,2%_%ldt:~8,2%_%ldt:~10,2%_%ldt:~12,2%

:: Capture snapshot through DirectShow using FFmpeg and save to disk. Change name of video adapter and save path.
ffmpeg.exe -f dshow -i video="USB 2.0 UVC HD Webcam" -vframes 1 E:\snapshot_%datetime%.jpg

snapshot_login_failure.xml (import this as a windows scheduler task)

</RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-19</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>E:\snapshot_login_failure.bat</Command>
      <WorkingDirectory>E:\</WorkingDirectory>
    </Exec>
  </Actions>
</Task>


Notes:
The login failure event triggers after clicking OK on the "Wrong username or password ..." dialog and not immediately after entering invalid login inf

 

Troublesooting:

1. Find name of the camera:
ffmpeg -list_devices true -f dshow -i dummy

2. Find Out What Windows Program Is Using Your Webcam:
To do this you'll need Process Explorer, You can download the installer here if you like.

With Process Explorer running, follow these steps:

   - Figure out what your camera's object name is by finding it in Device Manager.  For Windows 7: search "Device Manager" in the start menu.  For Windows 8.1: search the same thing in the Charms bar.
   - Once you locate it in the Device Manager, double-click and go to the "Details" tab.  Open the property drop-down and select "Physical device object name", then right-click to copy the name.
   - Return to the Process Explorer, or get it started if you haven't yet.  Then hit Ctrl+F and paste the camera's object name into the search field and click "Search."  You should see whatever processes are currently using your webcam.

Additionaly:

You can record voice trhoug the microphone few seconds:

ffmpeg.exe -f dshow -t 10 -i audio="Microphone (Lenovo USB2.0 Audio" E:\snapshotaudio_%datetime%.wav

AUST IT - Computer help out of hours, when you need it most.

Find out why we do it for less.

About

AUST IT will help you resolve any technical support issues you are facing onsite or remotely via remote desktop 24/7. More...

Contacts

Reservoir, Melbourne,
3073, VIC, Australia

Phone: 0422 348 882

This email address is being protected from spambots. You need JavaScript enabled to view it.

Sydney: 0481 837 077

Connect

Join us in social networks to be in touch.

Newsletter

Complete the form below, and we'll send you our emails with all the latest AUST IT news.