Endpoint Privilege Management Reporting Console

The Reporting Console is an MMC snap-in and may connect to the local computer or a remote computer. The Reporting Console enables you to view Endpoint Privilege Management for Windows events and privilege monitoring logs for the relevant computer.

To run the Endpoint Privilege Management Reporting Console:

  1. Launch mmc.exe.
  2. Select Add/Remove Snap-in from the File menu.
  3. Select Endpoint Privilege Management Reporting from the available snap-ins and click Add.

    Before the snap-in is added, you are prompted to select a computer to manage. The local computer is selected by default. To connect to a remote computer, click the Another computer option button and enter the name of the remote computer or click the Browse button to browse for a computer. Endpoint Privilege Management for Windows supports a connection to a central event collector if you are using event forwarding to centralize events to a server.

    You may also select an alternative location for the privilege monitoring logs, if you have a scripted solution in place to centralize the privilege monitoring logs to a server. Enter the network location or click the Browse button to browse to the location.

  4. Click Finish.
  5. Click OK.

You can add multiple instances of the Endpoint Privilege Management Reporting snap-in and connect them to different computers.

Auditing Report

The Auditing Report lists all the Endpoint Privilege Management for Windows events logged on that computer.

For each event the following information is available:

  • Date
  • Event ID
  • Filename (Codebase for ActiveX controls)
  • Command Line
  • Event Description
  • Username
  • Computer Name
  • Policy
  • Application Group
  • Reason
  • Custom Token
  • Hash (CLSID for ActiveX controls)
  • Certificate
  • PID
  • Parent PID
  • Trusted Application Name
  • Trusted Application Version
  • Date
  • Event ID
  • Filename (Codebase for ActiveX controls)
  • Command Line
  • Event Description
  • Username
  • Computer Name
  • Policy
  • Application Group
  • Reason
  • Custom Token
  • Hash (CLSID for ActiveX controls)
  • Certificate
  • PID
  • Parent PID
  • Trusted Application Name
  • Trusted Application Version

By default, the report shows all Endpoint Privilege Management for Windows events from the event log, but you can filter the report on date, event number, username, and computer name. Click Update Report to reload the report.

The application definitions contained within each event may be copied and then pasted into Application Groups in the Endpoint Privilege Management Policy Editor. Select one or more events, and then select Copy from the context menu. You can now paste the applications into an Application Group.

Privilege Monitoring Report

Application View

The application view shows a list of all applications that have been monitored. Applications are identified by their file hash.

For each application, the following information is available:

  • Filename/Codebase
  • Type
  • Instances
  • Description
  • Certificate
  • Hash (CLSID for ActiveX controls)
  • Version (ActiveX controls only)

The instances column shows the number of times the application has run. To view the individual instances for an application, double-click the entry in the list or select Show Details from the context menu. The Process View appears.

By default, the report shows all the monitored applications, but you may filter the report on date, username, and computer name. Click Update Report to reload the report.

Process View

The process view shows a list of the individual processes that have been monitored for an application.

For each process the following information is available:

  • Date
  • PID
  • Command Line
  • Filename

To view the activity for a process, double-click the entry in the list or select Show Details from the context menu. The Activity View appears.

Activity View

The activity view shows a list of all the privileged activity carried out by a process. Privileged activity is any activity that would fail under a standard user account.

For each activity entry the following information is available:

  • Date
  • Operation
  • Object
  • Parameters

To go back to the process view, double-click the back up entry in the list or select Back Up from the context menu. The Process View appears.

Diagnose Connection Problems

The Endpoint Privilege Management Reporting Console must connect to the registry and administrator file shares when connecting to a remote computer.

If the Reporting Console fails to connect or fails to retrieve data, the most common causes are:

  1. The Remote Registry service needs to be started on the remote machine. On Windows 7, this service is not set to start automatically, so you should ensure it has been started.
  2. The Windows Firewall may be blocking the incoming requests. Enabling the File and Printer Sharing exception in the Windows Firewall Settings should resolve this problem.