Audits and Reports

Privilege Management for Windows sends events to the local Application event log, depending on the audit and privilege monitoring settings within the Privilege Management for Windows policy.

Additionally, BeyondTrust provides an enterprise level, scalable reporting solution in Privilege Management Reporting. Privilege Management Reporting includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Privilege Management for Windows activity throughout the desktop and server estate. Each dashboard provides detailed and summarized information regarding Application, User, Host, and Workstyle usage.

Events

The following events are logged by Privilege Management for Windows:

Event ID Description
0 Service Control Success.
1 Service Error.
2 Service Warning.
100 Process has started with admin rights added to token.
101 Process has been started from the shell context menu with admin rights added to token.
103 Process has started with admin rights dropped from token.
104 Process has been started from the shell context menu with admin rights dropped from token.
106 Process has started with no change to the access token (passive mode).
107 Process has been started from the shell context menu with no change to the access token (passive mode).
109 Process has started with user’s default rights enforced.
110 Process has started from the shell context menu with user’s default rights enforced.
112 Process requires elevated rights to run.
113 Process has started with custom token applied.
114 Process has started from the shell context menu with user’s custom token applied.
116 Process execution was blocked.
118 Process started in the context of the authorizing user.
119 Process started from the shell menu in the context of the authorizing user.
120 Process execution was canceled by the user.
150 Privilege Management for Windows handled service control start action.
151 Privilege Management for Windows handled service control stop action.
152 Privilege Management for Windows handled service control pause/resume action.
153 Privilege Management for Windows handled service control configuration action.
154 Privilege Management for Windows blocked a service control start action.
155 Privilege Management for Windows blocked a service control stop action.
156 Privilege Management for Windows blocked a service control pause/resume action.
157 Privilege Management for Windows blocked a service control configuration action.
158 Privilege Management for Windows service control action run in the context of the authorizing user.
159 Privilege Management for Windows service control start action canceled.
160 Privilege Management for Windows service control stop action canceled.
161 Privilege Management for Windows service control pause/resume action canceled.
162 Privilege Management for Windows service control configuration action canceled.
198 Privileged group modification blocked.
199 Process execution was blocked, the maximum number of challenge / response failures was exceeded.
Configuration Events
10 License Error.
200 Config Config Load Success.
201 Config Config Load Warning.
202 Config Config Load Error.
210 Config Config Download Success.
211 Config Config Download Error.
User / Computer Events
300 User User Logon.
400

Service Privilege Management for Windows Service Start.

401 Service Privilege Management for Windows Service Stop.
Content Events
600 Process Content Has Been Opened (Updated Add Admin).
601 Process Content Has Been Updated (Updated Custom).
602 Process Content Access Drop Admin (Updated Drop Admin).
603 Process Content Access Was Cancelled By The User (Updated Passive).
604 Process Content Access Was Enforced With Default Rights (Updated Default).
605 Process Content Access Was Blocked.
606 Process Content Access Was Canceled.
607 Process Content Access Was Sandboxed.
650 Process URL Browse.
706 Process Passive Audit DLL.
716 Process Block DLL.
720 Process Cancel DLL Audit.
801 Rule Script Failure.
802 Password Safe Integration Error.

Each process event contains the following information:

  • Command line for the process
  • Process ID for the process (if applicable)
  • Parent process ID of the process
  • Workstyle that applied
  • Application Group that contained the process
  • End user reason (if applicable)
  • Custom access token (if applicable)
  • File hash
  • Certificate (if applicable)

Each process event also contains product properties, where applicable, but these can only be viewed in the Privilege Management Reporting Console.

Audit with Custom Scripts

When an application is allowed, elevated, or blocked, Privilege Management for Windows logs an event to the Application event log to record details of the action. If you want to record the action in a bespoke or third-party tracking system that supports PowerShell, VBScript, or JScript based submissions, you can use the Run a Script setting within an Application Rule.

To add a new auditing script:

  1. Create a new or edit an existing Application Rule within a Workstyle.
  2. In Run a Script, click on the Off value and in the dropdown menu, select Manage Scripts to open the Script Manager.
  3. In the Script Manager, click New in the left tree view. A new script is added to the tree. Click the name New Script once to rename the script.
  4. In the right script editor, enter your script code either manually, by copy and paste, or you can import a script from file by clicking Import.
  5. In the Script Language dropdown menu, select either PowerShell, VM Script, or Javascript, depending on the code format you entered.

PowerShell audit scripts can only be run in the system context.

  1. Select a Timeout for how long the script will be allowed to execute, before it is terminated. By default, this is set to Infinite.
  2. Select whether the script should be executed in the System context or the current User context from the Script Context dropdown menu.
  3. Click OK to finish.

The new script is automatically selected in the Run a Script setting.

If you have any existing scripts, these can be selected in the dropdown menu.

The auditing script supports the use of parameters within the script. Parameters are expanded using the COM interface PGScript.

strUserName = PGScript.GetParameter("[PG_USER_NAME]")
strCommandLine = PGScript.GetParameter("[PG_PROG_CMD_LINE]")
strAgentVersion = PGScript.GetParameter("[PG_AGENT_VERSION]")

Scripts created in the script editor can be reused in multiple Application Rules and On-Demand Application Rules. Any modification to an existing script affects all Workstyle rules that have been configured to execute that script.

For a list of available parameters, please see Windows Workstyle Parameters.