Home / CPTRAX for Windows

Why Choose CPTRAX for File System Auditing?

CPTRAX for Windows

  • Does not use Windows Event Logs
  • Does not use polling
  • Low Overhead - No Windows configuration changes required
  • Real-Time Reporting and Optional Blocking of unwanted activity

You have many choices when selecting a file system auditing and control solution for your Windows network. We created CPTRAX for Windows to give you a better choice. The following information has been prepared to provide a technical review of file system auditing methods and how CPTRAX for Windows is a better choice. The file system auditing methods that are compared to CPTRAX for Windows are:

  • Windows Event Log Readers
  • Polling and snapshot captures
  • File system drivers

Unique among Windows File System Auditing products, CPTRAX provides an integrated approach that fully connects with the server's communications channels. This allows CPTRAX to record all details regarding file system activity.

Benefited by kernel-level development design experience stretching back to the late 1980's and all versions of Windows since, CPTRAX offers a better choice for Windows File System Auditing. With CPTRAX you will receive reports that include:

  • File/Folder name
  • Event Type
  • Account (user) and Domain name plus Distinguished Name
  • Account SID
  • Time of Event
  • Permissions changed with full change details
  • Owner changed and new owner identity
  • For remote events, name of workstation where user was
  • For remote events, IP address of where user was
  • For remote events, Share name access was initiated upon
  • For terminal server sessions, remote workstation where user was
  • For terminal server sessions, IP address of where user was

And, unlike any other commercial Windows File System Auditing product, CPTRAX offers active blocking of undesirable create, delete and modification activity.

Additionally, the deep level of experience and expertise provided by the Visual Click Software Team gives you the power of CPTRAX without requiring any superfluous technologies on your servers such as the .NET framework, SQL Server, specific MSI Installer versions or any other add-on. While SQL is not required, we do offer the option of sending all activity records to an existing Microsoft SQL Server.

CPTRAX vs. Windows Event Log Readers

Several file system auditing products available rely upon Windows Event Logs to provide input for their reporting. And, many of these products require you to do your own Event Log "auditing" configuration. This is performed via a tedious manual process that involves visiting each folder (directory) to audit, select audit options and repeat for each user and/or group to audit.

What if you only want to know when certain files are changed? You could define auditing on select files, but, files are often deleted and re-created as part of normal operations making it difficult if not logistically impossible to audit at the file level. Not to mention new files would not be audited at all until auditing was established for each new file. All this means auditing options must be defined at the folder / directory level. Thus, if you simply wanted to track only activity upon XLS or DOC files you cannot define it within the Windows Event Log system. And it is the Windows Event Log system that many file system auditing products rely upon. Most of these tools offer report filtering so you can receive reports of just what you want but the Event Log files will be full of data you did not want to track.

All of this puts the Windows file system auditing process in charge of you because you have to constantly work for what you want and need.

Event Log details include:

  • File name (all events are curiously listed as being for a file even when it is for a Folder)
  • Event Type
  • Account (user) and Domain name
  • If Account was local or remote
  • Time of Event
  • Permissions changed (if event is modification of security (DACL or ACL) there is no record in the Event Log of what changes were made, only that the DACL was changed)
  • Owner changed (new owner identity is not recorded)

CPTRAX adds the following, which Event Log details do not include:

  • For remote events, name of workstation where user was
  • For remote events, IP address of where user was
  • For remote events, Share name access was initiated upon
  • For terminal server sessions, remote workstation where user was
  • For terminal server sessions, IP address of where user was
  • Account's Security Identifier or SID
  • Account's Distinguished Name or LDAP style name
  • Permissions that were changed (when DACL is updated)
  • Account Name of new Owner
  • Renames are not tracked, only the original filename is recorded as being deleted but no create is recorded for the new filename (or folder name)

And, lastly, Event Log readers do not have the ability to block undesirable file actions.

CPTRAX versus: Polling and Snapshot Captures

Some of the available file system auditing products gather file system activity independently of Windows Event Logs via polling and snapshot captures. These products do not require auditing to be configured within the Windows event system. Some of these products include the option to add events to the Windows Event Log based upon activity independently gathered.

As implied by this section's header, polling and snapshot capture file system activity auditing products only report on what is found after the fact. Though some of the products in this group claim to have real-time auditing abilities, it is still based on polling technology. The limitations are consequential as only the bare minimum of file system activity is revealed. On the plus side, due to the lack of direct involvement in auditing file system activities, polling and snapshot products will record fewer events that the Windows Event Log system.

Polling/Snapshot details can include:

  • File/Folder name
  • Event Type - limited to:
  • File/Folder Added
  • File/Folder Deleted
  • File Size Changed
  • Permissions Changed (only if product saves these data before the change)
  • Owner Changed (only if product saves these data before the change)
  • Time of Event (for 'real time polling' only, otherwise, time is approximate or "best guess")

CPTRAX adds the following, which Polling/Snapshot details do not include:

  • All File/Folder Events occurring between polling or snapshot periods
  • Account (User) performing event / action
  • Name of workstation where user was
  • IP address of where user was
  • For remote events, Share name access was initiated upon
  • For terminal server sessions, remote workstation where user was
  • For terminal server sessions, IP address of where user was
  • Account Security Identifier or SID
  • Account Distinguished Name or LDAP style name
  • File/Folder Renames
  • File Open / Read events
  • File Change events as they occur

And, lastly, Polling and Snapshot Capture products do not have the ability to block undesirable file actions.

CPTRAX versus: File System Drivers

A few of the available file system auditing products use a kernel-level File System Driver to gather file system activity independently of Windows Event Logs. These products do not require auditing to be configured within the Windows event system.

These File System Driver products gather events by being directly involved with file system actions as each occurs. File System Drivers are kernel-level agents that, when in use, become part of the Windows file system. This means each file system activity is passed through the agent before it is applied to the affected file or folder. This "low level" of involvement with the Windows file system means nothing is missed. However, the only critical detail tracked is the name of the user (or other account) performing the file action. This means details of remote access are not recorded, no workstation name, no IP address.

File System Driver recorded details include:

  • File/Folder name
  • Event Type
  • Account (user) and Domain name plus Distinguished Name
  • Time of Event
  • Permissions changed with full change details
  • Owner changed and new owner identity

CPTRAX adds the following, which File System Driver recorded details generally do not include:

  • No direct indication of action was performed locally or remotely
  • For remote events, name of workstation where user was
  • For remote events, IP address of where user was
  • For remote events, Share name access was initiated upon
  • For terminal server sessions, remote workstation where user was
  • For terminal server sessions, IP address of where user was

And, lastly, File System Driver products do have the innate ability to block undesirable file actions, but we have not found any such commercial products that offer this functionality.

More CPTRAX Features

  • Real-time email alerting

    Know immediately when an action of interest occurs. Pattern alerts can be configured to alert you when interesting actions occur repeatedly.
  • Customizable tracking profiles

    Avoid information overload. You can define which type of activities will be tracked and alerted on.
  • Ready-to-run reports

    Easily perform operations and compliance reviews with pre-built reports.
  • Central management console

    Manage the auditing of multiple servers from one console. Management can be performed from different locations by multiple administrators.
  • Automated report scheduling

    Schedule routine reports to be ran and automatically emailed to the people who should review them.
  • Centralized log files

    Encrypted logs can be stored at and reported from a central log host server. Retention settings help keep things tidy.

Get a free trial of CPTRAX for Windows today!

CPTRAX includes 1 YEAR of our world class support!

Assisted Installation

Our team will help you implement CPTRAX from start to finish.

Unlimited Training

We'll make sure you can get the information you need out of CPTRAX.

Unlimited Support

Our rapid-response support team can assist with any questions you may have.