Never had to check this before, so hoping someone else has and can give me some pointers… Does anyone know if on a windows XP machine, does it keep any log files about all the documents a user sent to a networked printer to print out? I cant seem to locate any such log files? Any pointers welcome…
Never had to check this before, so hoping someone else has and can give me some pointers… Does anyone know if on a windows XP machine, does it keep any log files about all the documents a user sent to a networked printer to print out? I cant seem to locate any such log files? Any pointers welcome…
Check all the emf spool data, if you run the emf file finder in encase you'll be able to find printed content
Also, if you look at the meta data a bit of information about the printer etc. can sometimes be found in there
Can you look at it from the other side? So if the network used a print server are there any logs from that infrastructure about documents sent to it?
Might it also be worth running some keyword searches on the printer name and ip address to see if anything comes up?
Windows systems don't maintain logs of files that get sent to the printer, networked or otherwise. You can search for printer spools, but to be honest, I've never had any luck along these lines.
You might have some success, depending upon the document format. MS Office OLE documents have a "last printed date" property that may be useful, particularly when combined with Registry analysis of the user's profile hive file…
Or, taking that "other side" looking a bit further, depending on the printer there might be evidence in the printer's drive.
Such networked printers often cache large files to a local drive.
I've been able to get some information from the Windows System Event Logs on 2003 Print Servers that have allowed me to pinpoint what machine printed certain documents at a particular date/time. Data included has been filename, size, date, time, source machine, dest printer which has then given us a target machine to examine.
Ian,
What are the event ID and source for these entries? Also, is a specific audit configuration required?
Thanks,
h
As per IanF's statement If the network printer is accessed via a Windows 2003 print server - then check the event logs on the print server. You should find date, time, filename, submitting user of the print job - if you know the name of the file in question, file type or even the size of the file in question - you should be able to filter through the logs and find the entry you're looking for.
I don't recall if this was due to an audit setting on the print server or just there by default.
Had a look at local events in the event viewer through (administrative tools > systems tools > event viewer), sent a few printed documents to a network printer to see if any logs showed up in the local event viewer, but couldnt see anything. The logs on the print server itself, due to volumes of users etc only goes back 7 days which is no good to us really.
Ian,
What are the event ID and source for these entries? Also, is a specific audit configuration required?
Thanks,
h
Yeah - it's Event ID 10 and Source = Print
The default config of a Print Server sets this key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\EventLog
Default behaviour is to log Print events but this can fill the System Event logs quite quickly as Paulo has said so a log of sys admins disable this key. I've setup Event Log harvesting from all servers in one particular client to a central store on a weekly basis and sized all event logs to hold at least 4 weeks data.