User Interface Audit Logs
When staff are using the PosGreen system for capturing sales at Point of Sale (checkouts) the system can be configured to record all keystrokes, mouse clicks, USB device movement and application activation. This provides a rich log of exactly how the user interacted with the system at the physical operation layer.
Data is collected using PreTranslateMessage and logged to memory buffers for delayed writing. The actual collection format on systems is an encrypted binary format but the files below have been converted to ASCII CSV style files. Sensitive data such as passwords or unique identifying information has been changed but not removed. For example if the password is 'cat' the logs below might show 'fzw' as the password. The length is retained but the contents scrambled. There is no credit card information in these files.
Some retail systems have barcode scanners attached. Some of these scanners emulate keyboards so that when a barcode is scanned it appears to be user typing in the logs. Scanners for Fieldpine are configured to send a prefix (ctrl-B) before barcodes and suffix (ctrl-C) at the end. When processing if you see keystrokes inside a ctrl-B/ctrl-C block then these are highly likely to be a barcode scan.
- UserActivity_Dev1.csv This CSV is taken from a developement/test system over a very short period of time. It is a useful starting point to understand the format of the files
- (TBS) A complete trading day trace from a busy customer facing system which sells frequent small sales. Touch screen based with barcode scanner, however the scanner is not heavily used. There is no mouse or keyboard connected to this system, it is purely touch based. The interface includes a common pop-up window where staff select options for items sold
File Contents
The first column identifies the record type.- A record type of 'UACT' (User ACTivity) is followed by the following columns
- The event type. These values directly map to the Windows WM values, such as WM_KEYUP or WM_DEVICECHANGE
- The HWND parameter in the MSG which will receive this message
- The MSG wParam field
- The MSG lParam field
- The MSG time field
- The MSG pt.x field
- The MSG pt.y field
- A record type of 'TUSH' provides information identifying the physical machine that created this file. There is typically only one of these records in each file. Information such as BIOS and hard drive serial numbers may be present here.
Example File
| Event | HWND | wParam | lParam | time | pt.x | pt.y | |
| UACT | 256 | 657846 | 16 | 3538945 | 15454000 | 711 | 337 |
| UACT | 256 | 657846 | 53 | 393217 | 15454203 | 711 | 337 |
| UACT | 258 | 657846 | 37 | 393217 | 15454203 | 711 | 337 |
| UACT | 257 | 657846 | 53 | -1073348607 | 15454265 | 711 | 337 |
| UACT | 257 | 657846 | 16 | -1070202879 | 15454296 | 711 | 337 |
| UACT | 256 | 657846 | 80 | 1638401 | 15454531 | 711 | 337 |
| UACT | 258 | 657846 | 112 | 1638401 | 15454531 | 711 | 337 |
| UACT | 257 | 527502 | 80 | -1072103423 | 15454609 | 711 | 337 |
| UACT | 256 | 527502 | 80 | 1638401 | 15455765 | 711 | 337 |
| ... | |||||||
Event 256 is WM_KEYDOWN, meaning a key has been pressed down. The Virtual key code is held in the wParam field. 16 is the Shift Key, 53 is the '5' key on the main keyboard, and 80 is the 'P' key.
Event 257 is WM_KEYUP, meaning a key has been released. The meaning of wParam is the same as WM_KEYDOWN
Event 258 is WM_CHAR, where Windows has decoded a single character. In this case, the shift/5 keydown sequences are being sent as "37", which is the ascii code for '%'
Consult the Microsoft documention for the MSG structure used by PreTranslateMessage to decode other events.