What types of messages are captured during a Carbon Copy session by the Notification Server?
| Article:DOC1643 | | | Created: 2008-08-04 | | | Updated: 2010-12-08 | | | Article URL http://www.symantec.com/docs/DOC1643 |
Description
Question
When a user remote controls a PC using Carbon Copy, what types of messages are captured by the NS?
Answer
From the status messages that are logged, we can tell how long a session lasted, the User who started the session and their IP address, as well as what processes were executed and ended during the session.
To start the Session, the Notification Server logs the following:
|
7/3/08 9:31 AM |
Info |
716 |
Communications |
A Remote System with IP Address: 192.168.0.55 has connected. |
|
7/3/08 9:31 AM |
Info |
32807 |
Security |
A connect request from DOMAIN\User has been ACCEPTED. |
|
7/3/08 9:31 AM |
Info |
2 |
Communications |
The Carbon Copy session with DOMAIN\User has been successfully established. |
|
7/3/08 9:31 AM |
Info |
10 |
Remote Control |
A remote control session has been established with DOMAIN\User. |
.
The Carbon Copy agent sends an event for each process that is executed or ended during the session. Here are some examples:
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
wmiprvse.exe Process started |
|
7/3/08 9:32 AM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
MTXINTFC.EXE Process started |
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/3/08 9:32 AM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/3/08 9:32 AM |
Info |
51 |
Monitoring |
MTXINTFC.EXE Process stopped |
|
7/3/08 9:32 AM |
Info |
50 |
Monitoring |
Netpaswd.exe Process started |
|
7/3/08 9:32 AM |
Info |
51 |
Monitoring |
Netpaswd.exe Process stopped |
|
7/3/08 9:32 AM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/3/08 9:32 AM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/3/08 9:33 AM |
Info |
51 |
Monitoring |
wmiprvse.exe Process stopped |
.
|
7/9/08 5:30 PM |
Info |
50 |
Monitoring |
notepad.exe Process started |
|
7/9/08 5:31 PM |
Info |
51 |
Monitoring |
wmiprvse.exe Process stopped |
|
7/9/08 5:32 PM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/9/08 5:32 PM |
Info |
50 |
Monitoring |
wmiprvse.exe Process started |
|
7/9/08 5:32 PM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/9/08 5:33 PM |
Info |
51 |
Monitoring |
wmiprvse.exe Process stopped |
|
7/9/08 5:33 PM |
Info |
50 |
Monitoring |
rundll32.exe Process started |
|
7/9/08 5:33 PM |
Info |
51 |
Monitoring |
rundll32.exe Process stopped |
|
7/9/08 5:34 PM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/9/08 5:34 PM |
Info |
50 |
Monitoring |
wmiprvse.exe Process started |
|
7/9/08 5:34 PM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/9/08 5:35 PM |
Info |
51 |
Monitoring |
wmiprvse.exe Process stopped |
|
7/9/08 5:35 PM |
Info |
50 |
Monitoring |
invoke.exe Process started |
|
7/9/08 5:35 PM |
Info |
50 |
Monitoring |
cmd.exe Process started |
|
7/9/08 5:35 PM |
Info |
51 |
Monitoring |
cmd.exe Process stopped |
|
7/9/08 5:35 PM |
Info |
50 |
Monitoring |
invoke.exe Process started |
|
7/9/08 5:35 PM |
Info |
51 |
Monitoring |
invoke.exe Process stopped |
|
7/9/08 5:35 PM |
Info |
50 |
Monitoring |
cmd.exe Process started |
|
7/9/08 5:35 PM |
Info |
51 |
Monitoring |
cmd.exe Process stopped |
|
7/9/08 5:35 PM |
Info |
50 |
Monitoring |
DSWorker.exe Process started |
|
7/9/08 5:35 PM |
Info |
50 |
Monitoring |
invoke.exe Process started |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
wscript.exe Process started |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
wmiprvse.exe Process started |
|
7/9/08 5:36 PM |
Info |
51 |
Monitoring |
DSWorker.exe Process stopped |
|
7/9/08 5:36 PM |
Info |
51 |
Monitoring |
invoke.exe Process stopped |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
cmd.exe Process started |
|
7/9/08 5:36 PM |
Info |
51 |
Monitoring |
cmd.exe Process stopped |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
DSWorker.exe Process started |
|
7/9/08 5:36 PM |
Info |
51 |
Monitoring |
wscript.exe Process stopped |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
DSWorker.exe Process started |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
invoke.exe Process started |
|
7/9/08 5:36 PM |
Info |
50 |
Monitoring |
cmd.exe Process started |
|
7/9/08 5:36 PM |
Info |
51 |
Monitoring |
cmd.exe Process stopped |
At the close of the session, these two messages are logged:
|
7/9/08 5:59 PM |
Warning |
11 |
Remote Control |
A remote control session with DOMAIN\User has been terminated. |
|
7/9/08 5:59 PM |
Info |
4 |
Communications |
The Carbon Copy session with DOMAIN\User has been terminated |
Legacy ID
43298
Article URL http://www.symantec.com/docs/DOC1643
Terms of use for this information are found in Legal Notices
Thank you.