Sometimese you need to know who was trying to login into your laptop running Windows.
One of the ways is take a picture using the webcam after entering the wrong user password.
Requirements
- A somewhat recent version of Windows (Windows 7 or later)
- A DirectShow-compatible video device (probably anything Windows recognizes as a camera, and more)
-
ffmpeg.exe (http://ffmpeg.org/)
snapshot_login_failure.bat
@echo off
:: Get date and time independent of regional settings. Source: http://stackoverflow.com/questions/203090/how-to-get-current-datetime-on-windows-command-line-in-a-suitable-format-for-us for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' set ldt=%%jset datetime=%ldt:~0,4%_%ldt:~4,2%_%ldt:~6,2%_%ldt:~8,2%_%ldt:~10,2%_%ldt:~12,2%
:: Capture snapshot through DirectShow using FFmpeg and save to disk. Change name of video adapter and save path.
ffmpeg.exe -f dshow -i video="USB 2.0 UVC HD Webcam" -vframes 1 E:\snapshot_%datetime%.jpg
snapshot_login_failure.xml (import this as a windows scheduler task)
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]</Select></Query></QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-19</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>E:\snapshot_login_failure.bat</Command>
<WorkingDirectory>E:\</WorkingDirectory>
</Exec>
</Actions>
</Task>
Notes:
The login failure event triggers after clicking OK on the "Wrong username or password ..." dialog and not immediately after entering invalid login inf
Troublesooting:
1. Find name of the camera:
ffmpeg -list_devices true -f dshow -i dummy
2. Find Out What Windows Program Is Using Your Webcam:
To do this you'll need Process Explorer, You can download the installer here if you like.
With Process Explorer running, follow these steps:
- Figure out what your camera's object name is by finding it in Device Manager. For Windows 7: search "Device Manager" in the start menu. For Windows 8.1: search the same thing in the Charms bar.
- Once you locate it in the Device Manager, double-click and go to the "Details" tab. Open the property drop-down and select "Physical device object name", then right-click to copy the name.
- Return to the Process Explorer, or get it started if you haven't yet. Then hit Ctrl+F and paste the camera's object name into the search field and click "Search." You should see whatever processes are currently using your webcam.
Additionaly:
You can record voice trhoug the microphone few seconds:
ffmpeg.exe -f dshow -t 10 -i audio="Microphone (Lenovo USB2.0 Audio" E:\snapshotaudio_%datetime%.wav