...
- Increase the logging level on the client machine which has the ACS agent installed to 1f. See the Symantec KB if details are needed for client logging level. It may help to clear the log files on the client machine so that there are fewer to search in the next steps.
- Turn off the secure desktop
- Download from Microsoft "Process Explorer" and run. Since the Secure desktop is turned off, Process Explorer will be able to be accessed behind the UAC prompts (just move to the side) and details on the processes can be viewed by right-clicking on the process and selecting the Properties option. Then the Commnad line: may be seen on the Image tab.
- Execute the process or program in question.
- Search for "has image name" in the ACS_.log files on the client machine. All the processes which ACS is detecting will be listed there.
- Keep track of the processes in a table if necessary like the following:
Process |
|---|
...
name | PID | Parent PID | Start time | End time |
|---|---|---|---|---|
|
|
|
|
|
- Search for "process start" in the ACS_.log files and put the PID in the table.
- Then search forwards and backwards for the PIDs in question and fill out the rest of the table. Note: If the process did not finish then there will be no end time. Just use the last entry time.
- Then evaluate the data in the table and see which process needs the Application Initiation policy or a standard Application Control policy with a Rights Action (maybe including the using the Users unrestricted token).