Extension:CheckUser


 * This page is about the extension. For the Wikimedia Foundation checkuser policy, click here.

CheckUser is an extension that allows a user (with checkuser permission) to check which IPs are used by a given username and which usernames are used by a given IP, without having to run queries directly against the database by hand. The extension is running live on all Wikimedia wikis.

Installation
The extension is released under the GNU General Public License 2.0 or later. The software is provided as-is. Updates will be made according to the needs of Wikimedia wikis; or where critical vulnerabilities are discovered.

Basic

 * 1) Download the files from SVN to the extensions directory, e.g. YourWikiSite/wiki/extensions.
 * 2) Open command prompt and run install.php
 * 3) If you don't currently have it, download the ExtensionFunctions.php file and copy it to the extensions directory, e.g. YourWikiSite/wiki/extensions
 * 4) Add   somewhere in LocalSettings.php.

Configuration
Configure $wgCheckUserLog to the directory you want to record the usage log at (must be server writable).

This tool migrates recent changes data to a separate table, and adds to that when new entries are added. If $wgPutIPinRC was set to false, there will be no data to search. After you run the queries, you can reduce $wgRCMaxAge to make recentchanges shorter, whithout affecting checkuser. Use $wgCUDMaxAge to set how far back checkuser data can go.

Basic interface

 * 1) Go to Special:CheckUser.
 * 2) In the user field, type in the username (without the 'user:' prefix), IP address, or CIDR range.
 * 3) * IP: any IPv4 or IPv6 address.
 * 4) * CIDR: you can check a range of IP addresses by appending the CIDR prefix (up to /16 for IPv4 or /64 for IPv6, or 65,536 addresses). For notation, see Range blocks.
 * 5) * XFF: you can check a client IP address provided by X-Forwarded-For headers by appending /xff (for example, 127.0.0.1/xff).
 * 6) Select the information you want to retrieve.
 * 7) * Get IPs: returns IP addresses used by a registered user.
 * 8) * Get edits from IP: returns all edits made by a user (registered or anonymous) from an IP address or range.
 * 9) * Get users: returns user accounts that have edited from an IP or range.
 * 10) In the reason field, type in the reason you are accessing the confidential data. Try to succinctly summarise the situation (for example, "cross-wiki spam"); this will be logged.

Information returned
A typical entry in the checkuser results for a user summary ("get users") is as follows: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11
 * Example (Talk | contribs) (20:11, -- 20:12, ) [5]
 * 127.0.0.37 XFF: 127.0.0.1, 127.0.0.5

This is formatted to fit a lot of information into a format that can very easily be listed and skimmed, but is difficult to read unless you know what the information provided is. The information is laid out as follows: user agent: browser, operating system, system language, and versions
 * username (user links) (time period when they edited from the given IP or range) [number of edits from the IP or range]
 * IP address edited from XFF: XFF information provided (can be spoofed)

Each IP/XFF combination used to edit is listed, in order of use. The user agent data for the latest use of the IP/XFF combinations is listed below.

Log
A log of all CheckUser accesses can be viewed at Special:CheckUser by those with the CheckUser rights. The log usually needs to be disabled or the directory ($wgCheckUserLog) for log outputs set to valid directory on non-Wikimedia wikis in order for the extension to correctly work.

Predecessor of CheckUser
The original extension for checking registered users IPs was called Espionage (previously Userip), written by Ævar Arnfjörð Bjarmason in 2005. This is still available from SVN, though it is not recommended unless the CheckUser extension doesn't work for you.