What types of messages are captured during a Carbon Copy session by the Notification Server?

Article:DOC1643  |  Created: 2008-08-04  |  Updated: 2010-12-08  |  Article URL http://www.symantec.com/docs/DOC1643
Article Type
Documentation

Description



Question
When a user remote controls a PC using Carbon Copy, what types of messages are captured by the NS?

Answer

From the status messages that are logged, we can tell how long a session lasted, the User who started the session and their IP address, as well as what processes were executed and ended during the session.

To start the Session, the Notification Server logs the following:

7/3/08 9:31 AM

Info  

716

Communications

A Remote System with IP Address: 192.168.0.55 has connected.

7/3/08 9:31 AM

Info  

32807

Security     

A connect request from DOMAIN\User has been ACCEPTED.

7/3/08 9:31 AM

Info  

2

Communications

The Carbon Copy session with DOMAIN\User has been successfully established.

7/3/08 9:31 AM

Info  

10

Remote Control

A remote control session has been established with DOMAIN\User.

.

The Carbon Copy agent sends an event for each process that is executed or ended during the session.  Here are some examples:

7/3/08 9:32 AM

Info  

50

Monitoring

wscript.exe   Process started

7/3/08 9:32 AM

Info  

50

Monitoring

wmiprvse.exe   Process started

7/3/08 9:32 AM

Info  

51

Monitoring

wscript.exe   Process stopped

7/3/08 9:32 AM

Info  

50

Monitoring

MTXINTFC.EXE   Process started

7/3/08 9:32 AM

Info  

50

Monitoring

wscript.exe   Process started

7/3/08 9:32 AM

Info  

51

Monitoring

wscript.exe   Process stopped

7/3/08 9:32 AM

Info  

50

Monitoring

wscript.exe   Process started

7/3/08 9:32 AM

Info  

50

Monitoring

wscript.exe   Process started

7/3/08 9:32 AM

Info  

51

Monitoring

MTXINTFC.EXE   Process stopped

7/3/08 9:32 AM

Info  

50

Monitoring

Netpaswd.exe   Process started

7/3/08 9:32 AM

Info  

51

Monitoring

Netpaswd.exe   Process stopped

7/3/08 9:32 AM

Info  

51

Monitoring

wscript.exe   Process stopped

7/3/08 9:32 AM

Info  

51

Monitoring

wscript.exe   Process stopped

7/3/08 9:33 AM

Info   

51

Monitoring

wmiprvse.exe   Process stopped

.

7/9/08 5:30 PM

Info  

50

Monitoring

notepad.exe   Process started

7/9/08 5:31 PM

Info  

51

Monitoring

wmiprvse.exe   Process stopped

7/9/08 5:32 PM

Info  

50

Monitoring

wscript.exe   Process started

7/9/08 5:32 PM

Info  

50

Monitoring

wmiprvse.exe   Process started

7/9/08 5:32 PM

Info  

51

Monitoring

wscript.exe   Process stopped

7/9/08 5:33 PM

Info  

51

Monitoring

wmiprvse.exe   Process stopped

7/9/08 5:33 PM

Info  

50

Monitoring

rundll32.exe   Process started

7/9/08 5:33 PM

Info  

51

Monitoring

rundll32.exe   Process stopped

7/9/08 5:34 PM

Info  

50

Monitoring

wscript.exe   Process started

7/9/08 5:34 PM

Info  

50

Monitoring

wmiprvse.exe   Process started

7/9/08 5:34 PM

Info  

51

Monitoring

wscript.exe   Process stopped

7/9/08 5:35 PM

Info  

51

Monitoring

wmiprvse.exe   Process stopped

7/9/08 5:35 PM

Info  

50

Monitoring

invoke.exe   Process started

7/9/08 5:35 PM

Info  

50

Monitoring

cmd.exe   Process started

7/9/08 5:35 PM

Info  

51

Monitoring

cmd.exe   Process stopped

7/9/08 5:35 PM

Info  

50

Monitoring

invoke.exe   Process started

7/9/08 5:35 PM

Info  

51

Monitoring

invoke.exe   Process stopped

7/9/08 5:35 PM

Info  

50

Monitoring

cmd.exe   Process started

7/9/08 5:35 PM

Info  

51

Monitoring

cmd.exe   Process stopped

7/9/08 5:35 PM

Info  

50

Monitoring

DSWorker.exe   Process started

7/9/08 5:35 PM

Info  

50

Monitoring

invoke.exe   Process started

7/9/08 5:36 PM

Info  

50

Monitoring

wscript.exe   Process started

7/9/08 5:36 PM

Info  

50

Monitoring

wmiprvse.exe   Process started

7/9/08 5:36 PM

Info  

51

Monitoring

DSWorker.exe   Process stopped

7/9/08 5:36 PM

Info  

51

Monitoring

invoke.exe   Process stopped

7/9/08 5:36 PM

Info  

50

Monitoring

cmd.exe   Process started

7/9/08 5:36 PM

Info  

51

Monitoring

cmd.exe   Process stopped

7/9/08 5:36 PM

Info  

50

Monitoring

DSWorker.exe   Process started

7/9/08 5:36 PM

Info  

51

Monitoring

wscript.exe   Process stopped

7/9/08 5:36 PM

Info  

50

Monitoring

DSWorker.exe   Process started

7/9/08 5:36 PM

Info  

50

Monitoring

invoke.exe   Process started

7/9/08 5:36 PM

Info  

50

Monitoring

cmd.exe   Process started

7/9/08 5:36 PM

Info  

51

Monitoring

cmd.exe   Process stopped

At the close of the session, these two messages are logged:

7/9/08 5:59 PM

Warning

11

Remote Control

A remote control session with DOMAIN\User has been terminated.

7/9/08 5:59 PM

Info  

4

Communications

The Carbon Copy session with DOMAIN\User has been terminated

 

 


Legacy ID



43298


Article URL http://www.symantec.com/docs/DOC1643


Terms of use for this information are found in Legal Notices