EventSentry Help v5.1

Event ID

Event Category

Event Description

Example

12000

Software Monitoring

An application was installed.

Application {51A3EF81-FAAF-4E70-815C-74D34D4EC313} (Backdoor Manager) was installed.

Additional Information:

Publisher: Global Intruder Corp

Installation Directory: C:\Program Files\BDM

12001

Software Monitoring

An application was uninstalled.

Application {51A3EF81-FAAF-4E70-815C-74D34D4EC313} (Backdoor Manager)

12002

Software Monitoring

An application or file registered itself in a autorun registry key and will be run automatically when a user logs on.

Application badtrojan.exe registered itself in the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and will be automatically run when a user logs into the system.

12003

Software Monitoring

An application or file registered itself in the registry by changing a value.

The registry value Shell in key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon changed from "explorer.exe" to "badandevilshell.exe". All files specified in this value will be automatically run when a user logs into the system.

12004

Software Monitoring

An application was removed from an autorun registry key.

Application desktophog.exe was removed from the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run and will no longer be run when a user logs into the system.

12005

Software Monitoring

A file was registered in an autorun directory.

The application eraseallfiles.exe registered itself in the directory c:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.

12006

Software Monitoring

A shortcut was registered in an autorun directory.

The shortcut PerformanceEnhancer.lnk (using file c:\windows\evilvirus.exe) registered itself in the directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.

12007

Software Monitoring

A shortcut was removed from an autorun directory.

The shortcut PerformanceEnhancer.lnk  (using file c:\windows\evilvirus.exe) was removed from directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will no longer run when a user logs into the system.

12008

Software Monitoring

An application registered itself in an autorun registry key and will be run automatically when the computer starts.

Application YourPersonalAdware.exe was added to the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will be automatically run when the system boots.

12009

Software Monitoring

An application was removed from an autorun key and will no longer be run when the system boots.

Application YourPersonalAdware.exe was removed from the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will no longer be run the system boots.

12010

Software Monitoring

An application registered itself in a registry key and might be automatically run when a user logs into the system.

The application SmartTrojan registered file c:\windows\eraseanddestroy.exe in registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and might be automatically run when a user logs into the system. Please see the help file (search for ACTIVE SETUP) for more information.

12011

Software Monitoring

An application removed itself from a registry key and will no longer be run when a user logs into the system.

Application SmartTrojan (using file c:\windows\eraseanddestroy.exe) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.

12012

Software Monitoring

A registry key could not be monitored and the feature disabled itself.

There was an error (999) monitoring registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. Please restart the EventSentry agent or notify NETIKUS.NET support if this problem persists. Autorun monitoring will NOT continue.

12020

Software Monitoring

A browser extension was installed

The %1 browser extension "%2" was added by user %4:

Web Browser: %1

Name: %2

Version: %3

User: %4

Enabled: %5

12021

Software Monitoring

A browser extension was changed / updated

The %1 browser extension "%2" was modified by user %4:

Web Browser: %1

Name: %2

Version: %3

User: %4

Enabled: %5

Field Changed: %6 ("%7" -> "%8")

12022

Software Monitoring

A browser extension was removed

The %1 browser extension "%2" was removed by user %4:

Web Browser: %1

Name: %2

Version: %3

User: %4

Enabled: %5

12030

Hardware Monitoring

The installed memory changed.

The amount of physically installed memory changed from 512 Mb to 256 Mb.

12031

Hardware Monitoring

The number of installed processors changed.

The number of installed processors changed from 1 to 2.

12032

Hardware Monitoring

The number of installed floppy drives changed.

The number of installed floppy drives changed from 0 to 1.

12033

Hardware Monitoring

The number of installed CDROM drives changed.

The number of installed CDROM drives changed from 1 to 0.

12034

Hardware Monitoring

The number of installed DVD drives changed.

The number of installed DVD drives changed from 1 to 2.

12035

Hardware Monitoring

The number of removable drives changed.

The number of removable drives changed from 0 to 2.

12036

Hardware Monitoring

The link speed of a network adapter changed.

The link speed of adapter Gigabit Network Card changed from 1Gb to 100Mb.

12040

Hardware Monitoring

A removable drive has been added.

12041

Hardware Monitoring

A removable drive has been removed.

12042

Hardware Monitoring

A drive reported a S.M.A.R.T. status error.

12050

Hardware Inventory

A network adapter connected to a WiFi network

A network adapter connected to a WiFi network. Connection details:

Adapter Name: %1

Adapter ID: %2

SSID: %3

Signal Strength: %4

Cipher Algorithm: %5

Authentication Algorithm: %6

12051

Hardware Inventory

A network adapter disconnected from a WiFi network

A network adapter disconnected from a WiFi network. Last connection details:

Adapter Name: %1

Adapter ID: %2

SSID: %3

Signal Strength: %4

Cipher Algorithm: %5

Authentication Algorithm: %6

12500

UPS Monitoring

At least one battery has been detect and will be monitored.

EventSentry will monitor the attached UPS devices and/or built-in batteries. 2 detected device(s):

Battery #1: Current Charge: 98%, Voltage=12V, Status=Online, BatterySize=17930mAh

Battery #2: Current Charge: 86%, Voltage=11V, Status=Discharging, BatterySize=65430mAh

12501

UPS Monitoring

The system is running on battery power.

At least one connected UPS/battery is now running on battery power. EventSentry will periodically log event 12502 with estimated run times until the UPS is back online. EventSentry will perform a system shutdown when the remaining battery or runtime gets below a configured threshold.

Battery #1: Current Charge: 97%, Voltage=12V, Status=Online, BatterySize=17930mAh

Battery #2: Current Charge: 98%, Voltage=12V, Status=Discharging, BatterySize=65410mAh

12502

UPS Monitoring

The system continues to run on battery power.

At least one connected UPS/battery continues to operate on battery power.

Charge Remaining: 85%

Estimated remaining runtime: 23411 seconds

12503

UPS Monitoring

The system is no longer running on battery power.

All connected UPS/battery devices are back online.

Battery #1: Current Charge: 98%, Voltage=12V, Status=Online, BatterySize=17930mAh

Battery #2: Current Charge: 100%, Voltage=12V, Status=Online, BatterySize=65410mAh

12504

UPS Monitoring

All attached batteries are fully or almost fully charged.

All connected UPS/battery devices are fully or almost fully charged.

Battery #1: Current Charge: 98%, Voltage=12V, Status=Online, BatterySize=17930mAh

Battery #2: Current Charge: 100%, Voltage=12V, Status=Online, BatterySize=65410mAh

12510

UPS Monitoring

A system shutdown will be initiated based on a low battery charge level.

The charge level of all attached UPS devices is at or below the threshold of 50% and a shutdown will now be initiated.

Battery #1: Current Charge: 47%, Voltage=12V, Status=Online, BatterySize=17930mAh

12511

UPS Monitoring

A system shutdown will be initiated based on a low remaining runtime.

The estimated runtime of this system is at or below the threshold of 5 minutes and a shutdown will now be initiated.

Battery #1: Current Charge: 47%, Voltage=12V, Status=Online, BatterySize=17930mAh

12512

UPS Monitoring

System Shutdown Result.

System Shutdown Result: Success.

12600

Boot Sector Monitoring

A change to the MBR and/or following sectors was detected.

EventSentry detected changes in a protected area of a hard drive, the new contents are embedded as binary data. If this change is unexpected, then the original data (MBR) can be downloaded from the EventSentry Web Reports (Inventory -> Host) and subsequently restored with boot media.

Drive: \\.\PhysicalDrive0

Sectors Monitored: 0 - 78 (MBR)

Bytes Changed: 67

12601

Boot Sector Monitoring

A change to the BootLoader and/or following sectors was detected.

EventSentry detected changes in a protected area of a hard drive, the new contents are embedded as binary data. If this change is unexpected then you can restore the boot loader by retrieving the original BootLoader from the EventSentry Web Reports (Inventory -> Host) and copying the data over with boot media.

Drive: \\.\PhysicalDrive0

Sectors Monitored: 2048-2057

Bytes Changed: 34