Software Monitoring

Navigation: Monitoring with EventSentry > System Health Monitoring >

Software Monitoring

With Software Monitoring you can be notified if:

•	An application that registers itself in the Add/Remove Programs control panel is installed or uninstalled

•	An application or file registers itself in a registry location that will automatically run the program when the system starts or a user logs in

•	An application or file registers itself in a directory that will automatically run the program when the system starts or a user logs in

In addition, EventSentry can create a software and hardware inventory in the database.

As with most system monitoring features, Software Monitoring will write an event to the Application event log when it detects any change. As such, you will need to make sure that you are monitoring the application event log with at least one event log filter.

Combined with Service Monitoring and File Monitoring, EventSentry will detect most applications and files that will automatically run when the system boots and/or a user logs in.

clip0162

Hardware Inventory

The following hardware information is also recorded in the database:

•	Operating System, including Edition and Service Pack

•	The SYSTEMROOT directory

•	Date when the Operating System was installed

•	Whether the machine is running the x64-bit edition of the OS

•	Whether the machine is a Terminal Server

•	Whether the machine is running Hyper-V

•	Whether the machine is running Server-Core

•	If the machine is a virtual machine, and in some cases the type of VM platform (e.g. VMWare ESX)

•	Installed CPU's (including type, speed and number of CPU's installed)**

•	The number of installed CPUs, including Hyper-Threading and multi-core detection

•	Registered owner and registered company** (if available)

•	Computer manufacturer and model** (if available)

•	BIOS Version***

•	Serial Number, Service Tag (depending on manufacturer)***

•	Installed Memory, including the maximum memory, number of memory chips installed and free slots available***

•	Installed network adapters, including adapter name, link speed, IP address (updated & refreshed automatically) and MAC address***

•	Installed disk controllers, including adapter name, adapter type (IDE/SCSI) and manufacturer***

•	Installed Graphics adapter, including the default resolution***

•	The number of CD-ROM, DVD, Floppy and removable drives***

•	The current uptime

•	The maximum uptime of the host since EventSentry was installed

The hardware inventory feature will also log an event to the event log, if the number of the following installed hardware devices changes since the last time the EventSentry agent was running:

•	Installed Memory

•	Number of installed processors

•	Number of installed floppy drives

•	Number of installed CDROM drives

•	Number of installed DVD drives

•	Number of removable drives

•	Link speed of a network adapter

•	Addition / Removal of a USB drive

•	S.M.A.R.T. status error of a physical drive

Please note that these events are only logged when the EventSentry agent is started (usually after a system boot), and not during runtime. Increases and decreases of device numbers are logged alike.

Ignore applications registering only GUIDs: Some software will write only the GUID (a hexadecimal number) to the registry when installed. Check this box to ignore software without a useful display name.

System hardware information is updated every time the EventSentry service is started.

Log uptime to database

Logs the current uptime of the host to the database in the specified time interval. This option, in addition to the current uptime, also keeps track of the maximum uptime across multiple reboots. This can help isolate problematic servers that are rebooted often.

This feature also stores the uptime history in the database, which can be accessed through Heartbeat - Availability - Uptime History. The uptime history is updated every time the OS is booting, and records how long the OS was running before the current boot process.

The uptime history keeps track of how long the OS was running between reboots, and as such is only updated when you reboot a host.

Detect when software is installed or uninstalled

If an application is installed an registers itself in the Control Panel under Add/Remove Programs, then EventSentry will notify you and log which application was installed or removed.

EventSentry will not notify you if an application is installed that does not register itself in Add/Remove Programs. You might still be notified if the application registers itself in one of the many autorun registry keys.

The following information is stored in the database and can be queried using the web reports when the "Record in database" check box is checked:

•	Software Name

•	Installation Directory*

•	Software Publisher*

•	Software Version*

This feature will also write application history to the database, enabling you to find out when software was installed/uninstalled (note that this information might also be available through the event logs).

Autorun Registry Keys

Some applications register files to automatically run when the computer starts or when a user logs on to the system. While those files are usually required and harmless, this is unfortunately misused by Spyware, Trojan horses and viruses.

EventSentry monitors certain registry locations and will notify you when an application is added or removed from one of the monitored locations. Please note that only HKEY_LOCAL_MACHINE registry keys, which affect all users on the system, are monitored at this time. HKEY_CURRENT_USER keys are not monitored.

EventSentry monitors the following registry values:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell

EventSentry monitors the following registry keys:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon

Autorun Directories

In addition to the registry keys listed above, this feature will also monitor the following directories and notify you if a file is added:

<Documents and Settings>\All Users\Start Menu\Programs\Startup

Additional Information

The Active Setup\Installed Components registry subkey is intended to be used by installations to make sure that all users on a system have up-to-date information in their profile, and as such is examined every time a user logs in. This key has unfortunately been misused by software to install and run malicious applications. We urge you to investigate all changes to this registry key to make sure only authorized applications register themselves there.

Please see the next chapter for all event records logged to the application event log by this feature.

* The amount of information recorded by EventSentry depends on the information provided by the installation routine of the particular software. It is up to the software vendor to determine how much installation they will record in the registry. Most modern software will log the name, publisher and version of the application installed.

** Some information might not be available. Model and manufacturer is available on most pre-installed computers; registered company is only available if specified during installation; in some cases CPU's information (especially older models) will not show the CPU type.

*** The Windows Management Instrumentation service is required to be running to obtain this information.