Events in Privilege Management for Windows

Privilege Management for Windows sends events to ePO using the McAfee Agent, and also to the local application event log, depending on the audit and privilege monitoring settings within the Privilege Management for Windows policy.

The following events are logged by Privilege Management for Windows :

Windows Process Events

ePO ID (Event ID) Description
202299 (1) Service Error - unlicensed or invalid license code.
202250 (100) Process has started with admin rights added to token.
202251 (101) Process has been started from the shell context menu with admin rights added to token.
202253 (103) Process has started with admin rights dropped from token.
202254 (104) Process has been started from the shell context menu with admin rights dropped from token.
202256 (106) Process has started with no change to the access token (passive mode).
202257 (107) Process has been started from the shell context menu with no change to the access token (passive mode).
202259 (109) Process has started with user’s default rights enforced.
202260 (110) Process has started from the shell context menu with user’s default rights enforced.
202262 (112) Process requires elevated rights to run.
202263 (113) Process has started with Custom Token applied.
202264 (114) Process has started from the shell context menu with user’s Custom Token applied.
202266 (116) Process execution was blocked.
202268 (118) Process started in the context of the authorizing user.
202269 (119) Process started from the shell menu in the context of the authorizing user.
202270 (120) Process execution was canceled by the user.
202275 (150) Privilege Management handled service control start action.
202276 (151) Privilege Management handled service control stop action.
202277 (152) Privilege Management handled service control pause/resume action.
202278 (153) Privilege Management handled service control configuration action.
202279 (154) Privilege Management blocked a service control start action.
202280 (155) Privilege Management blocked a service control stop action.
202281 (156) Privilege Management blocked a service control pause/resume action
202282 (157) Privilege Management blocked a service control configuration action
202283 (158) Privilege Management service control action run in the context of the authorizing user
202284 (159) Privilege Management service control start action canceled
202285 (160) Privilege Management service control stop action canceled
202286 (161) Privilege Management service control pause/resume action canceled
202287 (162) Privilege Management service control configuration action canceled
202297 (199) Windows only - Process execution was blocked, the maximum number of challenge / response failures was exceeded
Configuration Events

All events with a value of 200 - 299 ID are not sent to ePO Dashboards.

(200) Config Config Load Success
(201) Config Config Load Warning
(202) Config Config Load Error
(210) Config Config Download Success
(211) Config Config Download Error
User / Computer Events

These events are not sent to ePO Dashboards.

(300) User User Logon
(400)

Service Privilege Management Service Start

(401) Service Privilege Management Service Stop
Content Events
203050 (600) Process Content Has Been Opened (Updated Add Admin)
203050 (601) Process Content Has Been Updated (Updated Custom)
203050 (602) Process Content Access Drop Admin (Updated Drop Admin)
203050 (603) Process Content Access Was Canceled By The User (Updated Passive)
203050 (604) Process Content Access Was Enforced With Default Rights (Updated Default)
203050 (605) Process Content Access Was Blocked
203050 (606) Process Content Access Was Canceled
203050 (607) Process Content Access Was Sandboxed
203050 (650) Process URL Browse
203050 (706) Process Passive Audit DLL
203050 (716) Process Block DLL
203050 (720) Process Cancel DLL Audit

Each process event contains the following information:

  • Command line for the process
  • Process ID for the process (if applicable)
  • Parent process ID of the process
  • Workstyle that applied
  • Application group that contained the process
  • End user reason (if applicable)
  • Custom access token (if applicable)
  • File hash
  • Certificate (if applicable)

Each process event also contains product properties, where applicable, but these can only be viewed in the Privilege Management Reporting Console.