DWMRCS Connection Logs

The Mini Remote Control program also automatically writes DWMRCS entries into the Application Event Log on a remote machine each time someone "Connects To", "Attempts to Connect To", or "Disconnects From" that machine using the Mini Remote Control program. The DWMRCS Application Event Log entry will contain the specific information about the Source machine as well as what UserID was used to access this remote machine (see below). For security reasons, this functionality cannot be disabled within the Mini Remote Control program.

If either the Local or Remote machines are running Windows 95/98/Me, the log file will be written to a file called DWAccess.log either the %systemroot%\System (95/98/Me) directory or in the %systemroot%\System32 (NT4/2000/XP/2003) directory.

Here are some additional DWMRCS events written by the Mini Remote Control program in the Application Event Log on a remote machine:

Event 105: The Mini Remote Client Agent Service has started.

Event 108: The Mini Remote Client Agent Service has stopped.

Event 111: The following user has connected via Remote Control

Event 112: The following user has disconnected (or was disconnected) via Remote Control

Event 109: Requesting permission to remote control.

Event 109: Permission to remote control was accepted by local user.

Event 109: Permission to remote control was declined by local user.

Event 109: Permission to remote control timed out. Local user did not respond within the timeout period.

Sample Application Event Log Entry - Connection Information:

Event Type: Information

Event Source: DWMRCS

Event Category: None

Event ID: 0

Date:  03/12/2004

Time:  09:00:00 AM

User:  N/A

Computer: SUPPORT

Description:

Connect: The following user has connected via remote control.

Date: 01/21/03 16:49:44 Date/Time that the machine was accessed with MRC

Computer Name: PCNAME Name of the remote computer that was used to access this machine

User ID: John Remote machine's current active UserID during the MRC connection

Logon As ID: Administrator User Name used to access this machine with MRC

Domain: Account domain used with the "Logon As ID"

Desktop ID: Joe Account currently logged into the Desktop on this local machine

OS Product ID: 55555-OEM-5555555-55555 Remote machine's MS Windows Operating System Product ID

OS Registered Owner: John Doe Remote machine's MS Windows registered owner's name

OS Registered Organization: ACME Remote machine's MS Windows registered owner's company name

Host Name from Peer: pcname Remote machine's Hostname (reported from that machine)

IP Address(s) from Peer: 192.168.xx.xx Remote machine's IP Address (reported from that machine)

Host Name: Remote machine's HostName (as seen by this Computer)

IP Address: 192.168.xx.xx Remote machine's IP address (as seen by this Computer)

Protocol Version - DWRCC.EXE: 4.600000-0.000000 Internal Protocol Version of the Mini Remote Control program

Protocol Version - DWRCS.EXE: 4.600000-0.000000 Internal Protocol Version of the MRC Client Agent

Product Version - DWRCS.EXE: 4.6.0.1 Actual Version number of the MRC Client Agent

Product Version - DWRCC.EXE: 4.6.0.5 Actual Version number of the Mini Remote Control program

Proxy Host Used: No Was a proxy host used to make this connection

Proxy Host: If so, then what was the Proxy Host used

Proxy Destination Host: Additional information about the proxy connection

Proxy Destination Port: 6129

Proxy Callback Port: 6132

Authentication Type: Encrypted Windows Logon Authentication type used for this connection

Last Error Code: 0 Last Error Codes (if any)

Last Error Code (WSA): 0

Port Number: 6129 TCP port that the Client Agent Service is listening on

Absolute timeout setting: 0 minutes Some timeout values for the connection

Connect/Logon timeout setting: 90000 milliseconds

Access Check: Administrators What type of credentials were used for this connection (Administrator/User)

Registered: Yes Was this copy of the MRC program registered

WTS Session: No Is this a Terminal Services session

Used RSA Public-Key Key Exchange (xxxx bit keys). Key Exchange algorithm & key size used

Encryption IDs: XXXXX (yyyyy,yyyy,yyyy) Encryption algorithms used for this MRC connection

Hashing IDs: XXXXX (yyyyy,yyyy,yyyy) Hashing algorithm used for this MRC connection

Used Shared Secret: No Was the Shared secret key feature used to make this connection

Registration: xxx-xxxxxxxxxxxxx-xxxxxxxxxxx MRC Registration number (Registered versus Evaluation copy)

**Note: Security Audit Policy

You can also enable the Operating Systems Security Audit Policy (on the remote machine) to monitor all network connections made to the remote machine. This feature not only logs all Mini Remote Control activity into the Operating System’s Security event log, it also logs any network connections, any attempts to clear the Application Event Logs, or access to any securable objects within the O/S to the Security Event Log as well.

The Security Event Log can typically be found at: Start / Programs / Administrative Tools / Local Security Policy. Then under Local Policy, select Audit Policy and then enable the success and/or failure event logging of your choice.