Events in Endpoint Privilege Management for Windows
Endpoint Privilege Management
The following events are logged by Endpoint Privilege Management
Windows Process Events
| ePO ID (Event ID) | Description |
|---|---|
| 202299 (1) | Service Error - unlicensed or invalid license code. |
| 202250 (100) | Process has started with admin rights added to token. |
| 202251 (101) | Process has been started from the shell context menu with admin rights added to token. |
| 202253 (103) | Process has started with admin rights dropped from token. |
| 202254 (104) | Process has been started from the shell context menu with admin rights dropped from token. |
| 202256 (106) | Process has started with no change to the access token (passive mode). |
| 202257 (107) | Process has been started from the shell context menu with no change to the access token (passive mode). |
| 202259 (109) | Process has started with user’s default rights enforced. |
| 202260 (110) | Process has started from the shell context menu with user’s default rights enforced. |
| 202262 (112) | Process requires elevated rights to run. |
| 202263 (113) | Process has started with Custom Token applied. |
| 202264 (114) | Process has started from the shell context menu with user’s Custom Token applied. |
| 202266 (116) | Process execution was blocked. |
| 202268 (118) | Process started in the context of the authorizing user. |
| 202269 (119) | Process started from the shell menu in the context of the authorizing user. |
| 202270 (120) | Process execution was canceled by the user. |
| 202275 (150) | Endpoint Privilege Management handled service control start action. |
| 202276 (151) | Endpoint Privilege Management handled service control stop action. |
| 202277 (152) | Endpoint Privilege Management handled service control pause/resume action. |
| 202278 (153) | Endpoint Privilege Management handled service control configuration action. |
| 202279 (154) | Endpoint Privilege Management blocked a service control start action. |
| 202280 (155) | Endpoint Privilege Management blocked a service control stop action. |
| 202281 (156) | Endpoint Privilege Management blocked a service control pause/resume action |
| 202282 (157) | Endpoint Privilege Management blocked a service control configuration action |
| 202283 (158) | Endpoint Privilege Management service control action run in the context of the authorizing user |
| 202284 (159) | Endpoint Privilege Management service control start action canceled |
| 202285 (160) | Endpoint Privilege Management service control stop action canceled |
| 202286 (161) | Endpoint Privilege Management service control pause/resume action canceled |
| 202287 (162) | Endpoint Privilege Management service control configuration action canceled |
| 202297 (199) | Windows only - Process execution was blocked, the maximum number of challenge / response failures was exceeded |
| Configuration Events
All events with a value of 200 - 299 ID are not sent to ePO Dashboards. |
|
| (200) | Config Config Load Success |
| (201) | Config Config Load Warning |
| (202) | Config Config Load Error |
| (210) | Config Config Download Success |
| (211) | Config Config Download Error |
| User / Computer Events
These events are not sent to ePO Dashboards. |
|
| (300) | User User Logon |
| (400) |
Service Endpoint Privilege Management Service Start |
| (401) | Service Endpoint Privilege Management Service Stop |
| Content Events | |
| 203050 (600) | Process Content Has Been Opened (Updated Add Admin) |
| 203050 (601) | Process Content Has Been Updated (Updated Custom) |
| 203050 (602) | Process Content Access Drop Admin (Updated Drop Admin) |
| 203050 (603) | Process Content Access Was Canceled By The User (Updated Passive) |
| 203050 (604) | Process Content Access Was Enforced With Default Rights (Updated Default) |
| 203050 (605) | Process Content Access Was Blocked |
| 203050 (606) | Process Content Access Was Canceled |
| 203050 (607) | Process Content Access Was Sandboxed |
| 203050 (650) | Process URL Browse |
| 203050 (706) | Process Passive Audit DLL |
| 203050 (716) | Process Block DLL |
| 203050 (720) | Process Cancel DLL Audit |
Each process event contains the following information:
- Command line for the process
- Process ID for the process (if applicable)
- Parent process ID of the process
- Workstyle that applied
- Application group that contained the process
- End user reason (if applicable)
- Custom access token (if applicable)
- File hash
- Certificate (if applicable)
Each process event also contains product properties, where applicable, but these can only be viewed in the Endpoint Privilege Management Reporting Console.
