Find events for connections to a shared drive in the Windows Event Log

Posted on

QUESTION :

I am working at an university institute. We use Microsoft Windows 7 Enterprise with one central server for our infrastructure. The roaming user profiles and a shared drive reside on the server.

Yesterday, one of our laptop’s gut was (presumably) stolen. Now we would like to investigate when this was to see whether people were still present in the institute or not.

My idea is to use the Microsoft Event Log and search for the computer’s name/IP-address and see when the server lost connection to the workstation. In which category do I have to look for this, or is this information even logged?

Is there a better way of finding out when the computer was online for the last time?

ANSWER :

There are no events written to the Windows Event Log when a client loses connectivity to an SMB share on a server. The only event that comes to mind that:

  1. Is generated by a standard/built-in Windows component, and
  2. Logs an event upon some sort of “disconnect” event

is if the laptop were in an active Remote Desktop session at the time the machine was unplugged from the network. In that case the server writes an event to the System log with Event ID 56 from the source TermDD as follows:

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 10.84.0.67.

The IP address would be that of the client (laptop), so you’d need to check your DHCP server to determine what IP your machine was last assigned.


Another Option: Security Events

You may not be able to find an event that records the exact moment when the client was disconnected from the network (unless you’re lucky enough to have a centrally-managed wireless controller that logs all wireless events, which is a good thought), but there’s a good chance you can establish the last time the machine was in-fact connected to the network. With luck, this information may be enough to be helpful in some way.

Depending on how your server is configured, certain client-side events such as server access during machine startup, user logon, etc. may cause events to be written to the Windows Security event log on the server. For example, you may find events with the following IDs that confirm activity from your target machine and provide a corresponding date/time stamp:

The linked articles explain how to interpret each of these events. Unfortunately, on an active network there can be many such events logged which can make the job of finding the ones of interest rather time-consuming.

Leave a Reply

Your email address will not be published. Required fields are marked *