Fieldpine Logo Documentation Home  

The following data is available for research purposes. It is provided on a as-is where is basis. All datasets listed here are in public domain and you are welcome to use them. We would appreciate receiving copies of research materials based on this information but this is not mandatory

User Interface Audit Logs

When staff are using the PosGreen system for capturing sales at Point of Sale (checkouts) the system can be configured to record all keystrokes, mouse clicks, USB device movement and application activation. This provides a rich log of exactly how the user interacted with the system at the physical operation layer.

Data is collected using PreTranslateMessage and logged to memory buffers for delayed writing. The actual collection format on systems is an encrypted binary format but the files below have been converted to ASCII CSV style files. Sensitive data such as passwords or unique identifying information has been changed but not removed. For example if the password is 'cat' the logs below might show 'fzw' as the password. The length is retained but the contents scrambled. There is no credit card information in these files.

Some retail systems have barcode scanners attached. Some of these scanners emulate keyboards so that when a barcode is scanned it appears to be user typing in the logs. Scanners for Fieldpine are configured to send a prefix (ctrl-B) before barcodes and suffix (ctrl-C) at the end. When processing if you see keystrokes inside a ctrl-B/ctrl-C block then these are highly likely to be a barcode scan.

File Contents

The first column identifies the record type.
  1. A record type of 'UACT' (User ACTivity) is followed by the following columns
    1. The event type. These values directly map to the Windows WM values, such as WM_KEYUP or WM_DEVICECHANGE
    2. The HWND parameter in the MSG which will receive this message
    3. The MSG wParam field
    4. The MSG lParam field
    5. The MSG time field
    6. The MSG pt.x field
    7. The MSG pt.y field
    UACT lines are simple copies of the MSG structure passed to PreTranslateMessage.

  2. A record type of 'TUSH' provides information identifying the physical machine that created this file. There is typically only one of these records in each file. Information such as BIOS and hard drive serial numbers may be present here.

Example File
Event HWND wParam lParam time pt.x pt.y
UACT256 657846 16 3538945 15454000 711 337
UACT256 657846 53 393217 15454203 711 337
UACT258 657846 37 393217 15454203 711 337
UACT257 657846 53 -1073348607 15454265 711 337
UACT257 657846 16 -1070202879 15454296 711 337
UACT256 657846 80 1638401 15454531 711 337
UACT258 657846 112 1638401 15454531 711 337
UACT257 527502 80 -1072103423 15454609 711 337
UACT256 527502 80 1638401 15455765 711 337

Event 256 is WM_KEYDOWN, meaning a key has been pressed down. The Virtual key code is held in the wParam field. 16 is the Shift Key, 53 is the '5' key on the main keyboard, and 80 is the 'P' key.

Event 257 is WM_KEYUP, meaning a key has been released. The meaning of wParam is the same as WM_KEYDOWN

Event 258 is WM_CHAR, where Windows has decoded a single character. In this case, the shift/5 keydown sequences are being sent as "37", which is the ascii code for '%'

Consult the Microsoft documention for the MSG structure used by PreTranslateMessage to decode other events.