Privilege Management for Windows Activity Viewer

The Privilege Management for Windows Activity Viewer is an advanced diagnostics tool designed to help identify improvements in Privilege Management for Windows Workstyles. It allows IT administrators to remotely connect to any Privilege Management for Windows instance on the network and view all recent activity on the desktop.

The Activity Viewer collects a complete audit of every application that has run on the desktop, and provides a detailed summary of how Privilege Management for Windows interacted with those applications, what actions it applied, and the rules that it used to determine that action.

The activity is displayed in a rich, detailed, yet simple to use interface that provides every snippet of information required to better understand the Workstyles deployed to endpoints, how they affect the applications being run, and rapidly identify unexpected outcomes.

Requirements

  • SQL Server Compact 4.0+. Installed when using the executable installer for the client or the Activity Viewer.
  • Requires local admin rights to install and use.
  • The Activity Viewer version and the Privilege Management for Windows client version must match. For example, both must be 21.1.
  • Restart the endpoint after installing Activity Viewer.
  • You can run the Activity Viewer from a server and troubleshoot another machine. Activity Viewer must be installed on both machines.

Install the Activity Viewer

You must use the .exe installer. This installer file includes SQL Server Compact 4.0+.

  1. Run the Activity Viewer installer.
  2. On the Welcome page, click Next.
  3. On the License Agreement page, agree to the terms of the license and click Next.
  4. Enter a user name, and click Next.
  5. Click Install, and then click Finish.

Turn on Logging

Logging must be turned on to capture the events you wish to view in the Activity Viewer. You can set up logging in the Activity Viewer and select the specific endpoint where you want to log events.

  1. Select the Privilege Management Settings node.
  2. In the right pane, select Tools.
  3. Click Launch Activity Viewer.
  4. Click Control Computer.
  5. Click the browse button to display the endpoints with Privilege Management for Windows deployed.
  6. Select the endpoint you want to monitor, and then enter administrator credentials.
  7. Click the Control button, and then select Enable Logging.

Create a Snapshot

  1. Select the Privilege Management Settings node.
  2. In the right pane, select Tools.
  3. Click Launch Activity Viewer.
  4. Click New Snapshot.
  5. Select the endpoint you are monitoring.
  6. Enter administrator credentials, and then click OK.

After the snapshot is created and new activity occurs on the endpoint, load the snapshot again to view the latest activity.

Review and Analyze Results

  1. Select the Privilege Management Settings node.
  2. In the right pane, select Tools.
  3. Click Launch Activity Viewer.
  4. Click Load Snapshot.

Privilege Management for Windows Activity Viewer capture results

  1. Navigate to the location of the saved .sdf file, and then click Open. A policy is highlighted, as shown, if policy was applied since the snapshot.

 

Privilege Management for Windows Activity Viewer details on a specfic process captured

  1. Double-click any process to display more details. The request details show how and where policy was applied on a process.