A Windows® operating system user needs full control permissions on the following registry keys to monitor the operating system:
• |
76A64158-CB41-11D1-8B02-00600806D9B6 (WBEM Scripting Locator) |
• |
72C24DD5-D70A-438B-8A42-98424B88AFB8 (Windows Script Host Shell Object) |
• |
0D43FE01-F093-11CF-8940-00A0C9054228 (FileSystem Object) |
• |
HKEY_CLASSES_ROOT\AppID\{key}: Need to write the string value name to DllSurrogate and leave the value to blank. |
• |
HKEY_CLASSES_ROOT\CLSID\{key}: Need to write the string value name to AppID and set the value to {key}. |
• |
HKEY_CLASSES_ROOT\AppID\{key}: Need to write the string value name to DllSurrogate and leave the |
• |
HKEY_CLASSES_ROOT\Wow6432Node\AppID\{key}: Need to write the string value name to DllSurrogate and leave the value to blank. |
• |
HKEY_CLASSES_ROOT\CLSID\{key}: Need to write the string value name to AppID and set the value to {key}. |
• |
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{key}: Need to write the string value name to AppID and set the value to {key}. |
NOTE: 1. If the keys under HKEY_CLASSES_ROOT\AppID do not exit, manually add the keys to the written value by default permission. 2. If the keys under HKEY_CLASSES_ROOT\CLSID and HKEY_CLASSES_ROOT\Wow6432Node\CLSID do not exit, and you do not have permission to add a new String Value or edit the Value data, change the Owner from TrustedInstaller to Administrators, then grant the Set Value permission first. |
• |
Manually write the values to those keys, and then remove the full control permission. If the full control permissions cannot be deselected, select Deny Permission entry to remove all the permissions, and keep permissions for the entries Query Value, Enumerate Subkeys, Notify, and Read control to Read only. To set deny permission, right click on the registry key and select Permissions. Click Advanced on the popup dialogue box, then double click on the FglAM user, and check Deny Permission entry. |
For FileLogMonitorAgent and WindowsEventLogMonitorAgent:
• |
76A64158-CB41-11D1-8B02-00600806D9B6 (For j-interop WMIJavaConnection) |
The key 76A64158-CB41-11D1-8B02-00600806D9B6 is used for the Agent Managers installed on Unix or Linux machine to establish the WMIJavaconnection, which requires the administrator privilege to monitor.
When an agent connects to a monitored Windows® host from a UNIX® machine, you must make certain registry changes in order to allow the required COM services to run.
1 |
2 |
3 |
Add the following registry key to Windows if it does not exist: HKEY_CLASSES_ROOT\AppID{76A64158-CB41-11D1-8B02-00600806D9B6}. Create a new string value named DllSurrogate under that key and leave it blank. |
4 |
Add the following registry key to Windows if it does not exist: HKEY_CLASSES_ROOT\CLSID{76A64158-CB41-11D1-8B02-00600806D9B6}. Create a new string value named AppID under that key and modify the data to: {76A64158-CB41-11D1-8B02-00600806D9B6} |
This requirement affects: Windows Vista, Windows Server 2008, and Windows 7.
• |
Navigate to Control Panel > User Accounts and Family Safety > User Accounts > Change User Account Control Settings, and change the setting to Never Notify. |
When an agent connects to a monitored Windows host from a UNIX machine, and the Windows firewall is enabled, access to dllhost.exe must be allowed through the firewall.
2 |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center