REDHAND - SECURITY TRACKING - README.TXT ------------------------ How to Use This Document ------------------------ To view README.TXT on screen in Windows Notepad, maximise the Notepad window. Select word-wrap from the Edit menu. To print README.TXT, open it in Windows Write, Microsoft Word, or another word processor. ------------------------------------------------------- Please read the on-line help for the latest information, this file is a backup which will be saved to your keydisk when you make one. ******************************************************* DISCLAIMER OF WARRANTY THIS SOFTWARE AND MANUAL ARE SOLD "AS IS" AND WITHOUT WARRANTIES AS TO PERFORMANCE OF MERCHANTABILITY OR ANY OTHER WARRANTIES WHETHER EXPRESSED OR IMPLIED. BECAUSE OF THE VARIOUS HARDWARE AND SOFTWARE ENVIRONMENTS INTO WHICH THIS PROGRAM MAY BE PUT, NO WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE IS OFFERED. GOOD DATA PROCESSING PROCEDURE DICTATES THAT ANY PROGRAM BE THOROUGHLY TESTED WITH NON-CRITICAL DATA BEFORE RELYING ON IT. THE USER MUST ASSUME THE ENTIRE RISK OF USING THE PROGRAM. ANY LIABILITY OF THE SELLER WILL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR REFUND OF PURCHASE PRICE. ******************************************************** -------------------------------------------------------- Thank you for trying out the evaluation version of "RedHand" v 2.25 New features since 2.1: * Huge reduction in zip file and installation size. * Much faster in all operations. * RedHand can now run in "Invisible Mode", removing the icon from the desktop, and the program from the alt-tab order. * Password and settings are remembered even if the hidden .ini file is damaged or deleted. * Consumes less memory (typically 30k) and hard disc space. * Unlimited amount of "window lock" words. * Password is now encrypted and backed up for better security. * Facilities for hiding RedHand's files and directories. * Automatic protection of RedHands essential files. * Facility to lock exit from windows, and the StartUp group in Program Manager. * Network facilities added - can monitor any number of PCs from one station. * Better compatibility with WIN95 * Improved help files. * Log search facility added. * Data file names changed for added disguise * Added Drive "b" option for making keydisks. * RedHand is no longer time locked. I trust you to register! ** Bug fixes 1. RedHand would not lock the second window if two titles were identical. 2. Error message could be alt-tabbed round, this is no longer possible. 3. Password protection was sometimes lost after closing a locked window in visible mode. I welcome any suggestions/comments, if something doesn't work as YOU want it to, please tell me! -------------------------------------------------------- Contents: 1. Overview 2. Setting up "Red Hand" v2.25 3. Controls 4. Interpreting the Log 5. How to Register 6. Ombudsman 7. Autostart in win95 ************************************************************************** THE DEFAULT PASSWORD IS "redhand" - NOT "RedHand" OR "REDHAND" Before you ring me -check that your "Caps Lock" is not on! ************************************************************************** ***DO NOT TAMPER WITH THE INI FILE - YOU MAY ACTIVATE A SHAREWARE EXPIRY WARNING*** 1. Overview. RedHand can place no restrictions on what the user does, but tell you exactly what someone did on your computer while you were away, exactly when they did it, and how long it took, and they won't even know they were being watched! Additionally, windows can be discretely "locked" to prevent access, RedHand will simply close them immediately or send an error message of your choice. You can control exactly which areas of your computer that you do not want others to have access to. -------------------------------------------------------- You start RedHand by double clicking its icon in program manager, or the executable file. On startup, RedHand minimises, runs as an innocent looking icon (there is a choice of fifteen) and begins recording. Once running, RedHand can only be stopped with a password and will continue to record the title of every window used, and stores them away in its data file. It's name does not appear in the windows "Task List", and therefore cannot be switched off. You (with the password) can then view or print all activity on your computer up to the present time. Once the valid password has been entered you can, of course, stop the recording or end the program. Alternatively, RedHand can go completely invisible, removing all traces of itself from the desktop. A floppy "KeyDisk" is then needed to make it visible again. Note: The RedHand icon resides on the desktop behind all other windows, so to get at it you will need to minimise everything else that is running, as RedHand cannot be "Switched to.." from the task list. ('Cos it ain't there!) You can monitor your computer even if it is switched off when you leave it, Just move the RedHand icon (or whichever icon you choose) into your "Startup" Group, and the program will run as soon as windows starts. The StartUp group can be locked to prevent the icon being moved out. ************* NOTE: The registered version comes with a totally transparent icon which can be hidden in Program Manager. I CANNOT include this icon in the Shareware version, it would be too confusing to install if you were not familiar with the program. ************* -------------------------------------------------------- The only giveaway that something may be going on is the rattle of the hard disk every time a window changes, as RedHand writes the Log. This is unavoidable, if RedHand stored its Log in volatile memory for any period of time before writing to disc, then the last entries in the log could be lost if the user just turns the power off. The last entries are likely to be the most important if he/she is copying something to disc, as soon as the operation is complete he/she will just hit the on/off switch and go. As RedHand writes to the hard disc once a second this possibility is virtually eliminated. In any case, the hard disc often reads and writes when windows change, and the casual user is unlikely to notice. You can minimise this by defragmenting your disc regularly (you should do this anyway), see your DOS manual. It's not only security that RedHand is useful for, though, how about a "Time and Motion" study on your staff, it would save you having to stand there and watch! -------------------------------------------------------- Limitations ----------- Having recently lost the contents of my Hard Disc when a "High Security" program that I had installed crashed, I have gone to great lengths to ensure that RedHand will not damage your system files should anything go wrong. In fact, RedHand is one of very few security programs that makes no changes whatsoever to your existing system files at any time. As a result, RedHand is not bombproof. Anyone who knows their way around DOS could copy some of your files without activating RedHand, using DOS commands. If windows runs as soon as you turn your computer on (ie "win" is in your autoexec.bat file), this is unlikely to be a problem, as RedHand would record the entry to windows and subsequent exit to DOS, which would at least give you the time of the intrusion. Another problem could arise if someone found out what the password was, then they could "Clear the Log". It should be fairly easy to detect this though, just flick through a few windows before you leave the computer, and remember what they were. If the log does not show those windows when you come back, someone has been in! Redhands' password is pretty well encrypted, so no-one is likely to get it out of your computer. Used sensibly, and with a little careful thought, RedHand will detect all but the most determined "Hacker". RedHand protects its' own files by default when it is running, and keeps its' .ini file hidden. You can optionally hide the RedHand directory as well, if you prefer. Redhand will recover the password and configuration settings even if the ini file is deleted or damaged. So don't forget your password... One thing that you should be aware of is that RedHand does not like applications that put a digital clock on their title bar. Every time the second changes RedHand makes a new entry in the Log, and this can lead to the Log becoming cluttered in a very short space of time. This will cause problems if you are short of disc space, and therefore it is best to avoid such applications when running RedHand. -------------------------------------------------------- 2. Setting up "Red Hand" 1) To prevent possible conflicts with older files, (i.e. you have a previous version of RedHand) delete the old "redhand" directory, making sure that the program is not running first. 2) Just unzip all the files into an empty directory. Preferably called "redhand". Move grid.vbx and gauge.vbx can to your windows/system directory if you prefer. 3) Create an Icon in Program Manager using "File" - "New" etc. You may want to change the icon and description in Program Manager to disguise the program further. To do this, select the icon by clicking on it, select "Properties" from the file menu. Type whatever you like in the "Description" box, this is the text that appears beneath the icon in Program Manager. (The text beneath the minimised icon when the program is running is always blank, regardless of the description text) Note: Program Manager will not accept no text at all, but it will accept a single "space" character if you want the text blank. To change the icon in Program Manager, select "Change Icon" and then "Browse" to the windows directory, where there usually is a file called "moreicons" containing dozens of icons which can be used. Alternatively, don't bother with an Icon and start the program from the file manager by double clicking redhand.exe. To disguise the program still further, rename the "redhand.exe" file to something more innocent i.e. "winmon.exe". Remember to update the path property in Program Manager if you run RedHand from an icon there. You will need a blank formatted disk when you run RedHand for the first time. -------------------------------------------------------- 3. Controls When RedHand starts, it immediately minimises to a windows icon with no name and begins recording. It looks pretty innocent and does nothing when clicked. Doubleclicking the icon results in a request for a password, also with no indication as to what for. The default password is "redhand", and you should change it as soon as possible. With the correct password entered, "OK" gives you access to the Log and controls. The viewer shows the window title in the first column, the time of entering the window in the second, the time actually spent using the window in the third, and the fourth column displays an "X" if the window was closed by RedHands' locking facility. --------------- --------------- Main Log Window --------------- --------------- ------- Buttons ------- "Stop Recording" stops RedHand from adding any more entries to the Log, and disables window locking. "Minimise+Start" - resumes recording and closes the Log viewing window. Once you have selected this option, you will need to enter your password again to get back in. (Note - Do not use the minimize button at the top right of the window, this is not the same as "Minimise & Start", and will allow re-entry with out a password.) "Print Selected Area" - prints the currently selected records from the list. Select an area by dragging the mouse across the records you want to print, or click the first record and hold down shift while clicking the last, then click "Print Selected Area". To select all records, drag the mouse across the grey title bar at the top of the grid. RedHand will print as many pages as necessary, about 30 records to a page. "Exit" - stops recording and closes the program. --------- File Menu --------- "Print Selected Area" - as above. "Clear Log" - deletes all current records and resets the display. "Refresh Display" also from the file menu, causes the Log display to be updated with the very latest information, up to the "RedHand" window itself. "Find..." Opens a dialogue box which allows you to search the log for any piece of text. "Configure" - opens the configuration window - see below. "Change Icon" - gives you the option of selecting from 15 different icons. This sets the icon displayed when RedHand minimises (the one with no title). "Network options..." - opens the Network configuration window - see below. "View Network File..." - Allows you to view a remote file saved from your, or another machine. "Exit" - stops recording and closes the program. ----------- Record Menu ----------- "Start Recording" - re-starts recording if it was switched off with "Stop Recording" "Stop Recording" - temporarily stops recording. ------------- Password Menu ------------- "Change Password" allows you to enter your own password. The password is encrypted and hidden pretty well, and is not easily cracked, so don't forget it! The password must be able to be used as a valid filename. Almost any word up to seven letters will do, it is case sensitive when in visible mode. If you intend to use RedHand in "Invisible Mode", then do not use a standard dictionary word, as it could easily turn up as part of a window title. See "Invisible Mode" for more information. Because of the way RedHand operates when in "Invisible Mode", it is very wise to update your keydisk every time you change the password. This is because if RedHand's .ini file is tampered with, it will immediately go invisible. --------- Help Menu --------- "Quick Guide" - opens the quick guide window, with basic instructions on how to use RedHand. "Full Info" - opens the main help window. "Register" - allows you to print a registration form to send off. (Please!) ---------- About Menu ---------- Version information and contact address For Hard Drive Software. Also gives the current size of your data file, and the number of records that it contains. ---------------- ---------------- Configure Window ---------------- ---------------- ---------------------------------------- "Record only the last ---- windows used" Sets the number of entries (window titles) allowed to remain in the data file. The minimum number allowed is 10 and the maximum is 1,900. The default is 500. RedHand will remove the oldest records first, and this operation is performed when the program starts up. This feature has been added to make it easier for companies to monitor their employees on a day to day basis, without the supervisor having to bother to clear the log every day. Set to 1,000 RedHand will keep a record of the past few days and erase anything older. ---------------------------------------------------- "Keyphrase Window Locks" Type in part of the title of any window you want to "lock". Click "Add Keyphrase" to add your text to the list. To delete a keyphrase, select it and then click "Delete Keyphrase" If RedHand finds any of the words listed in any part of a windows' title, it will immediately close that window. Some care is needed here, use the whole title if possible, as if you enter "avi" to lock a video player for instance, it will also lock my web address: http//www.p'avi'lion.co.uk/harddrive/. Wherever possible, open the window you want to lock, and use an unique piece of the title text. Examples: To lock windows "file manager" type in "file manager". File manager will not be allowed to start. To lock the "windows" directory within File Manager, type in "File Manager-(C:\windows\*.*)". RedHand will then allow normal access to the File Manager, but close it if the user should select the windows directory. There is no limit to the possible combinations, and a bit of trial and error is required to get the desired results. Note: Not all windows can be locked, if the window does not have a "control box" (the little box with a "-" sign in it) then locking will not work. ------------------------ "Lock Startup Group" - Check this box to prevent any changes being made to the StartUp group in Program Manager. When you first select this option, Program Manager behaves in an odd manner, allowing an icon to be copied out of the group, and then telling you that this is not possible! From then on it works perfectly. (Don't ask why!) Also when you turn this option off, you must open a drop down menu in Program Manager before the change takes effect and you can move the Icons once more. "Enable window locking" - Check this box to switch the window locks on. "Hide RedHand Directory" - Hides RedHand's directory from other applications. "Lock Exit from Windows" - Prevents the user from exiting windows. "Invisible Mode" - Removes the Icon from the desktop. Once invisible, RedHand can only be viewed or stopped by forcing the password to appear in a windows' title text. This is where your KeyDisk comes in. To view the log when RedHand is invisible: 1. Insert your KeyDisk. 2. Start windows Notepad or another similar program. 3. Select "Open" from the "File" menu, and browse to your password stored on the KeyDisk in "a". 4. Select your password and click OK to load the file in Notepad, Notepad will close immediately and RedHand will open. Alternatively, or if you lose your KeyDisk, start Notepad and type something (anything), then choose "Save" from the File menu, enter your password as the filename and click OK. If you use this method, you must delete the file you created manually, as RedHand has no way of knowing where Notepad saved it to. ---------------------------------------------------- "Message to be displayed when closing locked window" Select an error message, or type in one of your own, which RedHand will use when closing a "locked" window. Discreet messages like "System Error - Cannot Open File" should help to maintain the secrecy of the program, as the user will think that a real program error has ocurred. Alternatively, if you don't mind people knowing what's going on, then "Get Lost!" might be more appropriate! Select "No Message - Close Window Immediately (Default)" from the drop down list if you want no message displayed. ---------------------- ---------------------- Network Options Window ---------------------- ---------------------- This window allows you to specify when and where you would like RedHand to copy the data file. This feature has been added to allow network administrators to monitor all individual PCs on a whole network, without leaving their desk. "Target Directory" - type in the full path to the directory you want the file saved to. Make sure that the directory exists! RedHand is not going to pop up on someones' computer and announce that it can't find the "spy" directory if it isn't there!! In this case RedHand will do nothing, just keep recording... "When to copy the file" - Sets the times you wan't RedHand to update the file in the target directory. Choose "On Windows Exit" to copy the log when the user exits windows. Enter a number of minutes for regular saving. (If this field is blank RedHand will not save the file at intervals) Enter a time of day if you want the Log updated at a certain time of each day. (If this field is blank RedHand will not save the file at any time of day) The three options can be mixed to suit your needs, but remember that every time the file is copied, the existing file in the target directory is overwritten. "User Name" - Allows you to enter a name for each machine RedHand is monitoring. Tip: I recommend setting up this feature anyway, even if you do not have a network. This is because in some cirumstances (unorthodox windows exits like power outages) the "rhspll.dat file may be corrupted, and RedHand will start with a blank file if this happens. -------------------------------------------------------- 4. Interpreting the Log While RedHand accurately represents all activity on your computer, there are a few occasions when things are not quite what they appear to be. So to avoid the embarrassment of falsely accusing your secretary of embezzling the companys funds, or your children of playing games (or worse!) rather than doing their homework, please take a few minutes to consider the following points. Red Hand gets its information from the title bar of the window that the user is currently using - ie if you are using Windows Notepad to read this file then RedHand would record "Notepad - README.TXT" and then the current date, time, and finally the amount of time the user spent before moving to another window. (It will also record whether the window was locked) It generally does not track DOS applications, but will usually get the name of the application if it is initialised from windows. The first entry in a recording session is ---Begin Session---, by the way, so you can always see where the session started and stopped. Sometimes a window has no title (screen savers and some registration reminder screens for example) and if this is the case then RedHand records "Unknown-(See Interpreting the Log)". This can be misleading, and the only way to get an idea of what was going on is to study the entries immediately before and after the "Unknown". An Exit to DOS can also result in an "Unknown" For instance, starting an unregistered version of a program called "Program" would look something like this: --------------------------------------------------------------------- Program Manager - (Date, Time & 00:10:15) := Program Manager Screen Program - (Date, Time & 00:00:02) := "Program" Starts up Unknown-(See Interpreting the Log) - (Date, Time & 00:00:02) := Registration Screen Program - (Date, Time & 00:05:32) := User Using "Program" Unknown-(See Interpreting the Log) - (Date, Time & 00:00:02) := Registration Screen Program Manager - (Date, Time & 00:05:15) := Program Manager Screen --------------------------------------------------------------------- It should be obvious from this example that the "Unknown" windows are registration screens by looking at what goes on before and after. Note: As the RedHand icon and "password" windows themselves have no titles, they may produce confusing results, being recorded as "Unknowns", if a user makes a number of attempts to get in. It is also obvious that no-one is going to "Exit to DOS" for two seconds! (Unless by accident) Screen Savers are more difficult to identify, but if the unknown is a Screen Saver, then the windows immediately preceding and following will always be the same. Another thing to consider, is how many times have you accidentally clicked on the wrong icon, or the wrong file? People do make mistakes, and if the sensitive "Off Shore Bank Accounts" ledger suddenly appears in your secretary's log, she may have done just that. If it was a genuine mistake, then you would expect to see a speedy exit from the program, file or whatever. 15 seconds is not unreasonable, especially if she is not sure how to get out of it. However, if the next entries in the Log are "Printing" or "Copying File" or "Save As", then you should be worried! Don't jump to conclusions. The best way to see how the Log works is to record your own actions for an hour or two. This will help you to be objective when you read the actions of someone else. -------------------------------------------------------- 5. How to Register "RedHand" is Shareware. You are permitted to use this program at no charge for an evaluation period period of 30 days. Feel free to distribute copies to your friends, but only in its original form, which must include the file "readme.txt". If you find "RedHand" useful and want to continue using it after the 30 day trial period, then you must make a registration payment of £12 ($25 US) plus £2 ($3) p&p to Hard Drive Software. The registration fee will licence one copy for use on one computer at any one time. Open the file "register.txt", or see the online registration screens. The registered version comes with: A totally transparent icon, which makes RedHand almost totally invisible, even to an experienced user. A randomly generated executable file name. No Registration Screens No Registration reminders on log printouts. -------------------------------------------------------- 6. Ombudsman "RedHand" is produced by "Hard Drive Software" a member of the Association of Shareware Professionals (ASP). ASP wants to make sure that the shareware principle works for you. If you are unable to resolve a shareware-related problem with an ASP member by contacting the member directly, ASP may be able to help. The ASP Ombudsman can help you resolve a dispute or problem with an ASP member, but does not provide technical support for members' products. Please write to the ASP Ombudsman at 545 Grover Rd., Muskegon, MI USA, or send a Compuserve message via CIS MAIL to ASP Ombudsman 72050,1433. -------------------------------------------------------- 7. Autostart in win95 RedHand can be made to autostart in WIN95, with no reference to the program in the normal startup procedures. Below is a sample registry entry, with "winmon" pointing to RedHand. =================== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray"="SysTray.Exe" "SystemAgent"="C:\\WINDOWS\\SYSTEM\\SAGE.EXE" "TBAV for Windows 95"="C:\\TBAVW95\\TBW95RUN.Exe /AutoStart" "ActiveMovie File Extensions"="ActMovie.exe /Check" "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" "AtiKey"="Atikey32.exe" "winmon"="C:\\snoop\\Redhand.exe" =================== Thanks Greg!