Welcome to the Privilege Authority Community

PrivilegeAuthority is a product from ScriptLogic that allows administrators to elevate privileges for specific programs, windows features or ActiveX controls, without running every user as an administrator.

Privilege Authority provides a powerful, flexible way to tighten overall security on a workstation, without preventing people from doing their jobs. It is available from scriptlogic.com and other popular download sites as a Professional edition and a free community edition.

Professional edition includes additional security capabilities and technical support from ScriptLogic. This community is for all Privilege Authority users to collaborate, brainstorm new elevation rules, share rules with other users, and provide bug reports and enhancement requests back to ScriptLogic.

Unanswered Active Topics Forums Search
Forums > Privilege Authority Community Forum > General Privilege Authority Discussion
Issue with rights to application and network share
Last Post 09 Jun 2011 03:48 PM by Don Reynolds (ScriptLogic). 21 Replies.
Printer Friendly
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Page 1 of 212 > >>
Author Messages
ShaneUser is Offline
New Member
New Member
Posts:15

--
14 Apr 2011 01:03 AM  
I have a client that runs a very proprietary network application that requires users to be admins on their PC. Not only that, but they need full permissions to the network files as well that are associated with the program.

I want to use this program if it will work to accomplish 3 things -

#1 - I want to take their admin rights away from them as we have had a major issue with viruses and spyware being installed

#2 - I want to give them admin rights just for this particular program they have installed on their PC. It is not in a special folder, just C:\Program

#3 - I want them to be able to run and install anything from the network share where the files reside as admins

UNC is \\server\share but the UNC is mapped as their T: Drive via Group Policy

Everything else I want to take admin rights away from them. I think this product is what I want but I am having a hard time getting it to work correctly in my test environment.

Please advise.

Thank you!
George Plummer (ScriptLogic)User is Offline
Posts:125

--
14 Apr 2011 02:19 AM  
Hi Shane,

It is the right product. What you need to do is create 2 rules. One will be a file rule to elevate the application, and the other a folder rule to elevate all processes launched form the T: drive.

I suggest you give this a try in a test environemt and come back to me with any issues that you are having.

Thanks.
ShaneUser is Offline
New Member
New Member
Posts:15

--
14 Apr 2011 04:37 PM  
So I add both rules to the same GPO Correct?
ShaneUser is Offline
New Member
New Member
Posts:15

--
14 Apr 2011 04:53 PM  
So I have 2 rules, I am using iTunes as a test as I do not want to load the proprietary software into my test domain.

So the Shared Drive is
S:\ Which would simulate The Clients T Drive the UNC is \\server\shared

I have iTunes setup located here -
S:\iTunes\32 Bit\itunssetup.exe

I have created 2 rules on one GPO

Rule 1 -
Type - By Folder Path
Folder S:\
Groups - Domain Admins

Rule 2
Type - By Path To Executable
Path - S:\iTunes\32 Bit\itunessetup.exe
Groups - Domain Admins

I have done a gpupdate /force and rebooted my 2 test clients - Windows XP 32, and Windows 7 64

Both are still access denied logged in as a normal user
George Plummer (ScriptLogic)User is Offline
Posts:125

--
14 Apr 2011 09:58 PM  
Can you run through the steps outlined here http://privilegeforum.scriptlogic.c...yid/4.aspx and if you get to the last step post the contents of the log file so I can take a look.
ShaneUser is Offline
New Member
New Member
Posts:15

--
14 Apr 2011 10:36 PM  
This is the log from windows 7. take in mind, I know the p is missing from the "itunessetu.exe" file

I am also testing another rule that allows user to install depending on file name. All the paths and file names are correct with the missing "p"

................................

14/04 14:24:15.603 | ProcessingStageEvent.h(117) | 2064 | NONE |

*************************** Log started ***************************

14/04 14:24:15.603 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 2520; Parent: 1084; Path: C:\Windows\regedit.exe; Params: <>
14/04 14:24:15.603 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:15.603 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:24:15.603 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:15.603 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:24:15.603 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:15.603 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:15.603 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:24:15.603 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:15.603 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\' and 'S:\' (Recursive): NO MATCH
14/04 14:24:15.603 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:15.603 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:15.603 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:24:15.603 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:15.603 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:24:15.603 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:15.603 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:15.603 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:24:15.603 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:15.603 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:24:15.603 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:15.603 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:15.603 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:24:15.603 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:15.603 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\' and 'S:\' (Recursive): NO MATCH
14/04 14:24:15.603 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:15.603 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:15.603 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:24:15.603 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:15.618 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:24:15.618 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:20.665 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 2276)
14/04 14:24:31.799 | ReportErrorStub.h(47) | 2064 | ERROR | Access is denied.
[EIP: 0x1E76023,0x1E76085] 0x80070005
14/04 14:24:34.189 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 836; Parent: 1084; Path: C:\Windows\System32\rundll32.exe; Params: <shell32.dll,Options_RunDLL 0>
14/04 14:24:34.189 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:34.189 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\rundll32.exe 1 0
14/04 14:24:34.189 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:34.189 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\rundll32.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:24:34.189 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:34.189 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:34.189 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\rundll32.exe 1 0
14/04 14:24:34.189 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:34.189 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:24:34.189 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:34.189 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:34.189 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\rundll32.exe 1 0
14/04 14:24:34.189 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:34.189 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\rundll32.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:24:34.189 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:34.189 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:34.189 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\rundll32.exe 1 0
14/04 14:24:34.189 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:34.189 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\rundll32.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:24:34.189 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:34.189 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:34.189 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\rundll32.exe 1 0
14/04 14:24:34.189 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:34.189 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:24:34.189 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:34.189 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:24:34.189 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\rundll32.exe 1 0
14/04 14:24:34.189 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:24:34.189 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\rundll32.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:24:34.189 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:24:35.674 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 836)
14/04 14:24:38.750 | ReportErrorStub.h(47) | 2064 | ERROR | Access is denied.
[EIP: 0x1E76023,0x1E76085] 0x80070005
14/04 14:24:45.422 | ReportErrorStub.h(47) | 2064 | ERROR | Access is denied.
[EIP: 0x1E76023,0x1E76085] 0x80070005
14/04 14:24:50.674 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 2468)
14/04 14:24:50.689 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 1852)
14/04 14:25:05.700 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 2916)
14/04 14:26:05.700 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 448)
14/04 14:26:05.716 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 1812)
14/04 14:26:15.966 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 2368; Parent: 1768; Path: C:\Windows\System32\SearchProtocolHost.exe; Params: <Global\UsGthrFltPipeMssGthrPipe15_ Global\UsGthrCtrlFltPipeMssGthrPipe15 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" >
14/04 14:26:15.966 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:15.966 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
14/04 14:26:15.966 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:15.966 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:15.966 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:15.966 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
14/04 14:26:15.966 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:15.966 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:15.966 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:15.966 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
14/04 14:26:15.966 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:15.966 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:15.966 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:15.966 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
14/04 14:26:15.966 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:15.966 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:15.966 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:15.966 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
14/04 14:26:15.966 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:15.966 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:15.966 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:15.966 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
14/04 14:26:15.966 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:15.966 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:16.013 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 428; Parent: 1768; Path: C:\Windows\System32\SearchFilterHost.exe; Params: <0 508 512 520 65536 516 >
14/04 14:26:16.013 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:16.013 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
14/04 14:26:16.013 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:16.013 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:16.013 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:16.013 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
14/04 14:26:16.013 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:16.013 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:16.013 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:16.013 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
14/04 14:26:16.013 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:16.013 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:16.013 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:16.013 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
14/04 14:26:16.013 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:16.013 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:16.013 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:16.013 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
14/04 14:26:16.013 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:16.013 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:16.013 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:16.013 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
14/04 14:26:16.013 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:16.013 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:19.653 | ReportErrorStub.h(47) | 2064 | ERROR | Access is denied.
[EIP: 0x1E76023,0x1E76085] 0x80070005
14/04 14:26:35.725 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 2520)
14/04 14:26:35.725 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 2436)
14/04 14:26:39.740 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 2056; Parent: 1084; Path: C:\Windows\System32\cmd.exe; Params: <>
14/04 14:26:39.740 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:39.740 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\cmd.exe 1 0
14/04 14:26:39.740 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:39.740 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\cmd.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:26:39.740 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:39.740 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:39.740 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\cmd.exe 1 0
14/04 14:26:39.740 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:39.740 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:26:39.740 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:39.740 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:39.740 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\cmd.exe 1 0
14/04 14:26:39.740 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:39.740 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\cmd.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:26:39.740 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:39.740 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:39.740 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\cmd.exe 1 0
14/04 14:26:39.740 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:39.740 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\cmd.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:26:39.740 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:39.740 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:39.740 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\cmd.exe 1 0
14/04 14:26:39.740 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:39.740 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:26:39.740 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:39.740 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:39.740 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\cmd.exe 1 0
14/04 14:26:39.740 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:39.740 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\cmd.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:26:39.740 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:43.303 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 1820; Parent: 2056; Path: C:\Windows\System32\gpupdate.exe; Params: </force>
14/04 14:26:43.303 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:43.303 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:26:43.303 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:43.303 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:26:43.303 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:43.303 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:43.303 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:26:43.303 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:43.303 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:26:43.303 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:43.303 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:43.303 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:26:43.303 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:43.303 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:26:43.303 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:43.303 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:43.303 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:26:43.303 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:43.303 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:26:43.303 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:43.303 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:43.303 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:26:43.303 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:43.303 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:26:43.303 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:43.303 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:43.303 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:26:43.303 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:43.303 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:26:43.303 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:45.412 | GPUpdateMonitor.cpp(197) | 1752 | DBG | firing GPUpdate event for sid=S-1-5-21-4199684475-1426916888-3933129214-1106
14/04 14:26:45.412 | PolicyManager.cpp(158) | 1752 | NONE | CPolicyManager::Refresh - starting
14/04 14:26:45.412 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:26:45.412 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:26:45.412 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:26:45.412 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:26:45.412 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:26:45.412 | PolicyManager.cpp(174) | 1752 | NONE | Activating the local machine policies
14/04 14:26:45.412 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='' - starting
14/04 14:26:45.412 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - starting
14/04 14:26:45.412 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:26:45.412 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - succeeded (0 ms)
14/04 14:26:45.412 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - starting
14/04 14:26:45.412 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:26:45.412 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - succeeded (0 ms)
14/04 14:26:45.412 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='' - succeeded (0 ms)
14/04 14:26:45.412 | LogonMonitor.cpp(293) | 1752 | DBG | Firing logon event: sessionid=1 UserSID=S-1-5-21-4199684475-1426916888-3933129214-1106 subscriber cookie=2
14/04 14:26:45.412 | PolicyManager.cpp(205) | 1752 | NONE | CPolicyManager:nLogonEvent - starting
14/04 14:26:45.412 | PolicyManager.cpp(222) | 1752 | NONE | Activating policies for user: sessionid=1 sid=S-1-5-21-4199684475-1426916888-3933129214-1106
14/04 14:26:45.428 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1106' - starting
14/04 14:26:45.428 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.428 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\iTunes\32 Bit\itunessetu.exe' -> 'S:\iTunes\32 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.428 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.428 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:26:45.428 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - succeeded (0 ms)
14/04 14:26:45.428 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.428 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\' -> 'S:\' by NT AUTHORITY\SYSTEM
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.428 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (16 ms)
14/04 14:26:45.443 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.443 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:26:45.443 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - succeeded (16 ms)
14/04 14:26:45.443 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.443 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: '*\ITunesSetup.exe' -> '*\ITunesSetup.exe' by TEST\w7user
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.443 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'workstation;' -> 'workstation;' by TEST\w7user
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.443 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by TEST\w7user
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:26:45.443 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:26:45.459 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'xp;windows7;vista;' -> 'xp;windows7;vista;' by TEST\w7user
14/04 14:26:45.459 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:26:45.459 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - succeeded (15 ms)
14/04 14:26:45.459 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1106' - succeeded (31 ms)
14/04 14:26:45.459 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
14/04 14:26:45.459 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
14/04 14:26:45.459 | PolicyManager.cpp(205) | 1752 | NONE | CPolicyManager:nLogonEvent - succeeded (47 ms)
14/04 14:26:45.459 | PolicyManager.cpp(158) | 1752 | NONE | CPolicyManager::Refresh - succeeded (47 ms)
14/04 14:26:45.459 | FsFilterLoader.cpp(96) | 1752 | NONE | OnEvent - starting
14/04 14:26:45.459 | FltDevRestrictionsManager.(51) | 1752 | DBG | driver has default config - skip driver load
14/04 14:26:45.459 | FsFilterLoader.cpp(96) | 1752 | NONE | OnEvent - succeeded (0 ms)
14/04 14:26:45.568 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 3040; Parent: 296; Path: C:\Windows\System32\gpscript.exe; Params: </RefreshSystemParam>
14/04 14:26:45.568 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:45.568 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:26:45.568 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:45.568 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:26:45.568 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:45.568 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:45.568 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:26:45.568 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:45.568 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:26:45.568 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:45.568 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:45.568 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:26:45.568 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:45.568 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:26:45.568 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:45.568 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:45.568 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:26:45.568 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:45.568 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:26:45.568 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:45.568 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:45.568 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:26:45.568 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:45.568 | LUAFilterRules.cpp(354) | 2064 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:26:45.568 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:45.568 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:45.568 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:26:45.568 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:26:45.568 | LUAFilterRules.cpp(278) | 2064 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:26:45.568 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:47.975 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 2692; Parent: 492; Path: C:\Windows\System32\taskhost.exe; Params: <SYSTEM>
14/04 14:26:47.975 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:47.975 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:26:47.975 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:47.975 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:47.975 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:47.975 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:26:47.975 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:47.975 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:47.975 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:47.975 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:26:47.975 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:47.975 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:47.975 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:47.975 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:26:47.975 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:47.975 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:47.975 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:47.975 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:26:47.975 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:47.975 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:47.975 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:26:47.975 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:26:47.975 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:26:47.975 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:26:50.725 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 2692)
14/04 14:26:50.725 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 3040)
14/04 14:27:03.974 | ProcessingStageEvent.h(117) | 2064 | DBG | New process event created (PID: 3028; Parent: 492; Path: C:\Windows\System32\raserver.exe; Params: </offerraupdate>
14/04 14:27:03.974 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:27:03.974 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:27:03.974 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:27:03.974 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:27:03.974 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:27:03.974 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:27:03.974 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:27:03.974 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:27:03.974 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:27:03.974 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:27:03.974 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:27:03.974 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:27:03.974 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:27:03.974 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:27:03.974 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:27:03.974 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:27:03.974 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:27:03.974 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:27:03.974 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:27:03.974 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:27:03.974 | LUAFilterRules.cpp(158) | 2064 | DBG | NotInternalProcessRule::Match result:1
14/04 14:27:03.974 | LUAFilterRules.cpp(108) | 2064 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:27:03.974 | LUAFilterRules.cpp(138) | 2064 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:27:03.974 | NewProcessEvtFilter.cpp(119) | 2064 | DBG | Filter matching result 0
14/04 14:27:05.724 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 1820)
14/04 14:27:05.724 | ProcessingStageEvent.h(121) | 2064 | DBG | Stop process event created (PID: 3028)
14/04 14:27:35.724 | ProcessingStageEvent.h(121) | 2324 | DBG | Stop process event created (PID: 428)
14/04 14:27:35.740 | ProcessingStageEvent.h(121) | 2324 | DBG | Stop process event created (PID: 2368)
14/04 14:28:09.412 | ProcessingStageEvent.h(117) | 2324 | DBG | New process event created (PID: 976; Parent: 1084; Path: C:\Windows\regedit.exe; Params: <>
14/04 14:28:09.412 | LUAFilterRules.cpp(158) | 2324 | DBG | NotInternalProcessRule::Match result:1
14/04 14:28:09.412 | LUAFilterRules.cpp(108) | 2324 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:28:09.412 | LUAFilterRules.cpp(138) | 2324 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:28:09.412 | LUAFilterRules.cpp(278) | 2324 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:28:09.412 | NewProcessEvtFilter.cpp(119) | 2324 | DBG | Filter matching result 0
14/04 14:28:09.412 | LUAFilterRules.cpp(158) | 2324 | DBG | NotInternalProcessRule::Match result:1
14/04 14:28:09.412 | LUAFilterRules.cpp(108) | 2324 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:28:09.412 | LUAFilterRules.cpp(138) | 2324 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:28:09.412 | LUAFilterRules.cpp(354) | 2324 | DBG | AppSec: Matching process folder: 'C:\Windows\' and 'S:\' (Recursive): NO MATCH
14/04 14:28:09.412 | NewProcessEvtFilter.cpp(119) | 2324 | DBG | Filter matching result 0
14/04 14:28:09.412 | LUAFilterRules.cpp(158) | 2324 | DBG | NotInternalProcessRule::Match result:1
14/04 14:28:09.412 | LUAFilterRules.cpp(108) | 2324 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:28:09.412 | LUAFilterRules.cpp(138) | 2324 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:28:09.412 | LUAFilterRules.cpp(278) | 2324 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:28:09.412 | NewProcessEvtFilter.cpp(119) | 2324 | DBG | Filter matching result 0
14/04 14:28:09.412 | LUAFilterRules.cpp(158) | 2324 | DBG | NotInternalProcessRule::Match result:1
14/04 14:28:09.412 | LUAFilterRules.cpp(108) | 2324 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:28:09.412 | LUAFilterRules.cpp(138) | 2324 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:28:09.412 | LUAFilterRules.cpp(278) | 2324 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:28:09.412 | NewProcessEvtFilter.cpp(119) | 2324 | DBG | Filter matching result 0
14/04 14:28:09.412 | LUAFilterRules.cpp(158) | 2324 | DBG | NotInternalProcessRule::Match result:1
14/04 14:28:09.412 | LUAFilterRules.cpp(108) | 2324 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:28:09.412 | LUAFilterRules.cpp(138) | 2324 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:28:09.412 | LUAFilterRules.cpp(354) | 2324 | DBG | AppSec: Matching process folder: 'C:\Windows\' and 'S:\' (Recursive): NO MATCH
14/04 14:28:09.412 | NewProcessEvtFilter.cpp(119) | 2324 | DBG | Filter matching result 0
14/04 14:28:09.412 | LUAFilterRules.cpp(158) | 2324 | DBG | NotInternalProcessRule::Match result:1
14/04 14:28:09.412 | LUAFilterRules.cpp(108) | 2324 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:28:09.412 | LUAFilterRules.cpp(138) | 2324 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:28:09.412 | LUAFilterRules.cpp(278) | 2324 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:28:09.412 | NewProcessEvtFilter.cpp(119) | 2324 | DBG | Filter matching result 0
14/04 14:28:50.740 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 976)
14/04 14:31:11.608 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2140; Parent: 2056; Path: C:\Windows\System32\gpupdate.exe; Params: </force>
14/04 14:31:11.608 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:11.608 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:31:11.608 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:11.608 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:31:11.608 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:11.608 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:11.608 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:31:11.624 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:11.624 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:31:11.624 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:11.624 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:11.624 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:31:11.624 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:11.624 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:31:11.624 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:11.624 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:11.624 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:31:11.624 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:11.624 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:31:11.624 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:11.624 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:11.624 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:31:11.624 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:11.624 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:31:11.624 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:11.624 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:11.624 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:31:11.624 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:11.624 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:31:11.624 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:13.936 | GPUpdateMonitor.cpp(197) | 1752 | DBG | firing GPUpdate event for sid=S-1-5-21-4199684475-1426916888-3933129214-1106
14/04 14:31:13.936 | PolicyManager.cpp(158) | 1752 | NONE | CPolicyManager::Refresh - starting
14/04 14:31:13.936 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:31:13.936 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:31:13.936 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.936 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.936 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.936 | PolicyManager.cpp(174) | 1752 | NONE | Activating the local machine policies
14/04 14:31:13.936 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='' - starting
14/04 14:31:13.936 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - starting
14/04 14:31:13.936 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:31:13.936 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - succeeded (0 ms)
14/04 14:31:13.936 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - starting
14/04 14:31:13.936 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:31:13.936 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - succeeded (0 ms)
14/04 14:31:13.936 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='' - succeeded (0 ms)
14/04 14:31:13.936 | LogonMonitor.cpp(293) | 1752 | DBG | Firing logon event: sessionid=1 UserSID=S-1-5-21-4199684475-1426916888-3933129214-1106 subscriber cookie=2
14/04 14:31:13.936 | PolicyManager.cpp(205) | 1752 | NONE | CPolicyManager:nLogonEvent - starting
14/04 14:31:13.936 | PolicyManager.cpp(222) | 1752 | NONE | Activating policies for user: sessionid=1 sid=S-1-5-21-4199684475-1426916888-3933129214-1106
14/04 14:31:13.936 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1106' - starting
14/04 14:31:13.936 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - starting
14/04 14:31:13.936 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.936 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.936 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\iTunes\32 Bit\itunessetu.exe' -> 'S:\iTunes\32 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:31:13.936 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (15 ms)
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.952 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.952 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.952 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - succeeded (15 ms)
14/04 14:31:13.952 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.952 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\' -> 'S:\' by NT AUTHORITY\SYSTEM
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.952 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.952 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.952 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.952 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - succeeded (0 ms)
14/04 14:31:13.952 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.967 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\iTunes\64 Bit\itunessetu.exe' -> 'S:\iTunes\64 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.967 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.967 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.967 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - succeeded (16 ms)
14/04 14:31:13.967 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.967 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: '*\ITunesSetup.exe' -> '*\ITunesSetup.exe' by TEST\w7user
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.967 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.967 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'workstation;' -> 'workstation;' by TEST\w7user
14/04 14:31:13.983 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.983 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.983 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by TEST\w7user
14/04 14:31:13.983 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:31:13.983 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:31:13.983 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'xp;windows7;vista;' -> 'xp;windows7;vista;' by TEST\w7user
14/04 14:31:13.983 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:31:13.983 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - succeeded (16 ms)
14/04 14:31:13.983 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1106' - succeeded (47 ms)
14/04 14:31:13.983 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
14/04 14:31:13.983 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
14/04 14:31:13.983 | PolicyManager.cpp(205) | 1752 | NONE | CPolicyManager:nLogonEvent - succeeded (47 ms)
14/04 14:31:13.983 | PolicyManager.cpp(158) | 1752 | NONE | CPolicyManager::Refresh - succeeded (47 ms)
14/04 14:31:13.983 | FsFilterLoader.cpp(96) | 1752 | NONE | OnEvent - starting
14/04 14:31:13.983 | FltDevRestrictionsManager.(51) | 1752 | DBG | driver has default config - skip driver load
14/04 14:31:13.983 | FsFilterLoader.cpp(96) | 1752 | NONE | OnEvent - succeeded (0 ms)
14/04 14:31:14.061 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2796; Parent: 296; Path: C:\Windows\System32\gpscript.exe; Params: </RefreshSystemParam>
14/04 14:31:14.061 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.061 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.061 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.061 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:31:14.061 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.061 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.061 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.061 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.061 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:31:14.061 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.061 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.061 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.061 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.061 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:31:14.061 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.061 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.061 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.061 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.061 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:31:14.061 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.077 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.077 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.077 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.077 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:31:14.077 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.077 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.077 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.077 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.077 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:31:14.077 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.077 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.077 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.077 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.077 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:31:14.077 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:14.077 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:14.077 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:31:14.077 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:31:14.077 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:31:14.077 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 1780; Parent: 492; Path: C:\Windows\System32\taskhost.exe; Params: <SYSTEM>
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:15.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:15.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:31:15.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:15.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:20.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2796)
14/04 14:31:20.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 1780)
14/04 14:31:31.749 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 164; Parent: 492; Path: C:\Windows\System32\raserver.exe; Params: </offerraupdate>
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:31.749 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:31:31.749 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:31:31.749 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:31:31.749 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:31:35.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 164)
14/04 14:31:35.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2140)
14/04 14:32:23.936 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2288; Parent: 2056; Path: C:\Windows\System32\gpupdate.exe; Params: </force>
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:23.936 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:23.936 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpupdate.exe 1 0
14/04 14:32:23.936 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:23.936 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpupdate.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:23.936 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.280 | GPUpdateMonitor.cpp(197) | 1752 | DBG | firing GPUpdate event for sid=S-1-5-21-4199684475-1426916888-3933129214-1106
14/04 14:32:26.280 | PolicyManager.cpp(158) | 1752 | NONE | CPolicyManager::Refresh - starting
14/04 14:32:26.280 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:32:26.280 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:32:26.280 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.280 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.280 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.280 | ActiveAction.cpp(81) | 1752 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.280 | PolicyManager.cpp(174) | 1752 | NONE | Activating the local machine policies
14/04 14:32:26.280 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='' - starting
14/04 14:32:26.280 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - starting
14/04 14:32:26.280 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:32:26.280 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - succeeded (0 ms)
14/04 14:32:26.280 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - starting
14/04 14:32:26.280 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:32:26.280 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - succeeded (0 ms)
14/04 14:32:26.280 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='' - succeeded (0 ms)
14/04 14:32:26.280 | LogonMonitor.cpp(293) | 1752 | DBG | Firing logon event: sessionid=1 UserSID=S-1-5-21-4199684475-1426916888-3933129214-1106 subscriber cookie=2
14/04 14:32:26.280 | PolicyManager.cpp(205) | 1752 | NONE | CPolicyManager:nLogonEvent - starting
14/04 14:32:26.280 | PolicyManager.cpp(222) | 1752 | NONE | Activating policies for user: sessionid=1 sid=S-1-5-21-4199684475-1426916888-3933129214-1106
14/04 14:32:26.280 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1106' - starting
14/04 14:32:26.280 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - starting
14/04 14:32:26.280 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.280 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.280 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\iTunes\32 Bit\itunessetu.exe' -> 'S:\iTunes\32 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:32:26.280 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.280 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.280 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (16 ms)
14/04 14:32:26.295 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.295 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.295 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - succeeded (16 ms)
14/04 14:32:26.295 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.295 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\' -> 'S:\' by NT AUTHORITY\SYSTEM
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.295 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.295 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.295 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - succeeded (0 ms)
14/04 14:32:26.295 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.295 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.311 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'S:\iTunes\64 Bit\itunessetu.exe' -> 'S:\iTunes\64 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.311 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.311 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.311 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - succeeded (16 ms)
14/04 14:32:26.311 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - starting
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.311 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: '*\ITunesSetup.exe' -> '*\ITunesSetup.exe' by TEST\w7user
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.311 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'workstation;' -> 'workstation;' by TEST\w7user
14/04 14:32:26.311 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.326 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (15 ms)
14/04 14:32:26.326 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'OR;' -> 'OR;' by TEST\w7user
14/04 14:32:26.326 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - starting
14/04 14:32:26.326 | StringExpander.cpp(557) | 1752 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:32:26.326 | StringExpander.cpp(678) | 1752 | DBG | <<Expanded: 'xp;windows7;vista;' -> 'xp;windows7;vista;' by TEST\w7user
14/04 14:32:26.326 | ActiveAction.cpp(65) | 1752 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:32:26.326 | PolicyManager.cpp(311) | 1752 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1106; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - succeeded (15 ms)
14/04 14:32:26.326 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1106' - succeeded (47 ms)
14/04 14:32:26.326 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
14/04 14:32:26.326 | PolicyManager.cpp(261) | 1752 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
14/04 14:32:26.326 | PolicyManager.cpp(205) | 1752 | NONE | CPolicyManager:nLogonEvent - succeeded (47 ms)
14/04 14:32:26.326 | PolicyManager.cpp(158) | 1752 | NONE | CPolicyManager::Refresh - succeeded (47 ms)
14/04 14:32:26.326 | FsFilterLoader.cpp(96) | 1752 | NONE | OnEvent - starting
14/04 14:32:26.326 | FltDevRestrictionsManager.(51) | 1752 | DBG | driver has default config - skip driver load
14/04 14:32:26.326 | FsFilterLoader.cpp(96) | 1752 | NONE | OnEvent - succeeded (0 ms)
14/04 14:32:26.373 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 428; Parent: 296; Path: C:\Windows\System32\gpscript.exe; Params: </RefreshSystemParam>
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:26.373 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:26.373 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\gpscript.exe 1 0
14/04 14:32:26.373 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:26.373 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\gpscript.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:26.373 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2928; Parent: 492; Path: C:\Windows\System32\taskhost.exe; Params: <SYSTEM>
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:27.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:27.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\taskhost.exe 1 0
14/04 14:32:27.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:27.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:35.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 428)
14/04 14:32:35.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2928)
14/04 14:32:41.655 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 860; Parent: 1084; Path: C:\Windows\regedit.exe; Params: <>
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\' and 'S:\' (Recursive): NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\' and 'S:\' (Recursive): NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:41.655 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:41.655 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\regedit.exe 1 0
14/04 14:32:41.655 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:41.655 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\regedit.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:41.655 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2648; Parent: 492; Path: C:\Windows\System32\raserver.exe; Params: </offerraupdate>
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:43.748 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:43.748 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\raserver.exe 1 0
14/04 14:32:43.748 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:32:43.748 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:50.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2288)
14/04 14:32:50.530 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2648)
14/04 14:32:55.437 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 1460; Parent: 1084; Path: S:\iTunes\64 Bit\iTunesSetu.exe; Params: <>
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 1 0
14/04 14:32:55.437 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:55.437 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'S:\iTunes\64 Bit\iTunesSetu.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:32:55.437 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:32:55.437 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match S:\iTunes\64 Bit\iTunesSetu.exe 1 0
14/04 14:32:55.437 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:32:55.437 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'S:\iTunes\64 Bit\iTunesSetu.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:32:55.437 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2444; Parent: 1460; Path: C:\Windows\System32\msiexec.exe; Params: </i "C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi">
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(287) | 2500 | DBG | AppSec: Matching msi path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(374) | 2500 | DBG | AppSec: Matching msi folder: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(287) | 2500 | DBG | AppSec: Matching msi path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(287) | 2500 | DBG | AppSec: Matching msi path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(287) | 2500 | DBG | AppSec: Matching msi path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(374) | 2500 | DBG | AppSec: Matching msi folder: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(287) | 2500 | DBG | AppSec: Matching msi path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.452 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:02.452 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:02.452 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:02.452 | LUAFilterRules.cpp(287) | 2500 | DBG | AppSec: Matching msi path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\iTunes64.msi' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:02.452 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:02.921 | ReportErrorStub.h(47) | 2500 | ERROR | Access is denied.
[EIP: 0x1E76023,0x1E76085] 0x80070005
14/04 14:33:03.062 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 616; Parent: 2388; Path: C:\Windows\SysWOW64\msiexec.exe; Params: <-Embedding A5DB5C8627DD7600298663F53127B78E C>
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\SysWOW64\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\SysWOW64\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\SysWOW64\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\SysWOW64\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\SysWOW64\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\SysWOW64\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.062 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.062 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.062 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.062 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\SysWOW64\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.062 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.077 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.077 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\SysWOW64\msiexec.exe 1 0
14/04 14:33:03.077 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.077 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\SysWOW64\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:03.077 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 3044; Parent: 2388; Path: C:\Windows\System32\msiexec.exe; Params: <-Embedding 3312A881E7293C24341CA403495491AA C>
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:03.187 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:03.187 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\msiexec.exe 1 0
14/04 14:33:03.187 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:03.187 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:03.187 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:05.546 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 860)
14/04 14:33:05.546 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2056)
14/04 14:33:08.359 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2040; Parent: 3044; Path: C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe; Params: </evt EB5E /pid 3044 /mon 440 452 >
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.359 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.359 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe 1 0
14/04 14:33:08.359 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:08.359 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Users\w7user\AppData\Local\Temp\IXP416.TMP\SetupAdmin.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:08.359 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 164; Parent: 956; Path: C:\Windows\System32\consent.exe; Params: <956 544 0000000003DBD710>
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:08.390 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:08.390 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
14/04 14:33:08.390 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': NO MATCH
14/04 14:33:08.390 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:20.557 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2040)
14/04 14:33:20.557 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 3044)
14/04 14:33:20.557 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 616)
14/04 14:33:20.572 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 164)
14/04 14:33:20.572 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 2444)
14/04 14:33:20.572 | ProcessingStageEvent.h(121) | 2500 | DBG | Stop process event created (PID: 1460)
14/04 14:33:27.713 | ReportErrorStub.h(47) | 2500 | ERROR | Access is denied.
[EIP: 0x1E76023,0x1E76085] 0x80070005
14/04 14:33:27.885 | ProcessingStageEvent.h(117) | 2500 | DBG | New process event created (PID: 2252; Parent: 1084; Path: C:\Windows\System32\notepad.exe; Params: <C:\ProgramData\Privilege Authority\Logs\CSEHostEngine.log>
14/04 14:33:27.885 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.885 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.885 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.885 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\notepad.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:27.885 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.885 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.885 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.885 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.885 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:27.885 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.885 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.885 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.885 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.885 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\notepad.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:27.885 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.885 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.885 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.885 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.885 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\notepad.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:27.885 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.885 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.885 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.885 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.885 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\notepad.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:33:27.885 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.885 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.885 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.885 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.901 | LUAFilterRules.cpp(354) | 2500 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and 'S:\' (Recursive): NO MATCH
14/04 14:33:27.901 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.901 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.901 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.901 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.901 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\notepad.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:33:27.901 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
14/04 14:33:27.901 | LUAFilterRules.cpp(158) | 2500 | DBG | NotInternalProcessRule::Match result:1
14/04 14:33:27.901 | LUAFilterRules.cpp(108) | 2500 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
14/04 14:33:27.901 | LUAFilterRules.cpp(138) | 2500 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1106' and 'S-1-5-21-4199684475-1426916888-3933129214-1106': MATCH
14/04 14:33:27.901 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'C:\Windows\System32\notepad.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:33:27.901 | NewProcessEvtFilter.cpp(119) | 2500 | DBG | Filter matching result 0
ShaneUser is Offline
New Member
New Member
Posts:15

--
14 Apr 2011 10:44 PM  
I copied last part from XP as it is a big log -

14/04 14:33:12.226 | PolicyManager.cpp(311) | 1592 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - succeeded (0 ms)
14/04 14:33:12.226 | PolicyManager.cpp(261) | 1592 | NONE | ActivatePolicies: policySid='' - succeeded (30 ms)
14/04 14:33:12.226 | PolicyManager.cpp(158) | 1592 | NONE | CPolicyManager::Refresh - succeeded (30 ms)
14/04 14:33:12.237 | StartStopMonitor.cpp(74) | 1592 | NONE | Firing 'CSEHostStartEvent' - starting
14/04 14:33:12.237 | FsFilterLoader.cpp(96) | 1592 | NONE | OnEvent - starting
14/04 14:33:12.237 | FltDevRestrictionsManager.(51) | 1592 | DBG | driver has default config - skip driver load
14/04 14:33:12.237 | FsFilterLoader.cpp(96) | 1592 | NONE | OnEvent - succeeded (0 ms)
14/04 14:33:12.237 | StartStopMonitor.cpp(74) | 1592 | NONE | Firing 'CSEHostStartEvent' - succeeded (10 ms)
14/04 14:36:07.250 | SENSLogonSink.cpp(54) | 1812 | NONE | OnUserLogon TEST\xpuser - starting
14/04 14:36:07.250 | SENSLogonSink.cpp(54) | 1812 | NONE | OnUserLogon TEST\xpuser - succeeded (0 ms)
14/04 14:36:08.175 | LogonMonitor.cpp(287) | 1820 | NONE | User logon detected: sessionid=0 UserSID=S-1-5-21-4199684475-1426916888-3933129214-1105
14/04 14:36:08.175 | PolicyManager.cpp(205) | 1820 | NONE | CPolicyManager:nLogonEvent - starting
14/04 14:36:08.175 | PolicyManager.cpp(222) | 1820 | NONE | Activating policies for user: sessionid=0 sid=S-1-5-21-4199684475-1426916888-3933129214-1105
14/04 14:36:08.175 | PolicyManager.cpp(261) | 1820 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1105' - starting
14/04 14:36:08.175 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - starting
14/04 14:36:08.175 | ProcessMonitor.cpp(181) | 1820 | NONE | CProcessMonitor::Initialize - starting
14/04 14:36:08.175 | ProcessMonitor.cpp(157) | 1820 | NONE | Registering GPEProcessMonitor singleton in GIT - starting
14/04 14:36:08.175 | ProcessMonitor.cpp(157) | 1820 | NONE | Registering GPEProcessMonitor singleton in GIT - succeeded (0 ms)
14/04 14:36:08.185 | ProcessMonitor.cpp(181) | 1820 | NONE | CProcessMonitor::Initialize - succeeded (10 ms)
14/04 14:36:08.185 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.194 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (10 ms)
14/04 14:36:08.194 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'S:\iTunes\32 Bit\itunessetu.exe' -> 'S:\iTunes\32 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:36:08.194 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.194 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.194 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.194 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.194 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:08.194 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (10 ms)
14/04 14:36:08.203 | ActiveAction.cpp(65) | 1820 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:08.203 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - succeeded (30 ms)
14/04 14:36:08.203 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - starting
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.203 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'S:\' -> 'S:\' by NT AUTHORITY\SYSTEM
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.203 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.203 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.212 | ActiveAction.cpp(65) | 1820 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:08.212 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - succeeded (10 ms)
14/04 14:36:08.212 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - starting
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.212 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'S:\iTunes\64 Bit\itunessetu.exe' -> 'S:\iTunes\64 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.212 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.212 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.222 | ActiveAction.cpp(65) | 1820 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:08.222 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - succeeded (10 ms)
14/04 14:36:08.222 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - starting
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.222 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: '*\ITunesSetup.exe' -> '*\ITunesSetup.exe' by NT AUTHORITY\SYSTEM
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.222 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'workstation;' -> 'workstation;' by NT AUTHORITY\SYSTEM
14/04 14:36:08.222 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.231 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (10 ms)
14/04 14:36:08.231 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:08.231 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - starting
14/04 14:36:08.231 | StringExpander.cpp(557) | 1820 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:08.231 | StringExpander.cpp(678) | 1820 | DBG | <<Expanded: 'xp;windows7;vista;' -> 'xp;windows7;vista;' by NT AUTHORITY\SYSTEM
14/04 14:36:08.231 | ActiveAction.cpp(65) | 1820 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:08.231 | PolicyManager.cpp(311) | 1820 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - succeeded (10 ms)
14/04 14:36:08.231 | PolicyManager.cpp(261) | 1820 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1105' - succeeded (60 ms)
14/04 14:36:08.231 | PolicyManager.cpp(261) | 1820 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
14/04 14:36:08.231 | PolicyManager.cpp(261) | 1820 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
14/04 14:36:08.231 | PolicyManager.cpp(205) | 1820 | NONE | CPolicyManager:nLogonEvent - succeeded (60 ms)
14/04 14:36:08.231 | ProcessMonitor.cpp(229) | 1820 | DBG | CProcessMonitor:nLogonEvent 0
14/04 14:36:10.090 | GPUpdateMonitor.cpp(197) | 1920 | DBG | firing GPUpdate event for sid=S-1-5-21-4199684475-1426916888-3933129214-1105
14/04 14:36:10.090 | PolicyManager.cpp(158) | 1920 | NONE | CPolicyManager::Refresh - starting
14/04 14:36:10.090 | ActiveAction.cpp(81) | 1920 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:36:10.090 | ActiveAction.cpp(81) | 1920 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:36:10.090 | ActiveAction.cpp(81) | 1920 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.090 | ActiveAction.cpp(81) | 1920 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.090 | ActiveAction.cpp(81) | 1920 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.090 | ActiveAction.cpp(81) | 1920 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.090 | PolicyManager.cpp(174) | 1920 | NONE | Activating the local machine policies
14/04 14:36:10.090 | PolicyManager.cpp(261) | 1920 | NONE | ActivatePolicies: policySid='' - starting
14/04 14:36:10.090 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - starting
14/04 14:36:10.090 | ActiveAction.cpp(65) | 1920 | NONE | Activated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
14/04 14:36:10.090 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - succeeded (0 ms)
14/04 14:36:10.090 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - starting
14/04 14:36:10.099 | ActiveAction.cpp(65) | 1920 | NONE | Activated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
14/04 14:36:10.099 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - succeeded (10 ms)
14/04 14:36:10.099 | PolicyManager.cpp(261) | 1920 | NONE | ActivatePolicies: policySid='' - succeeded (10 ms)
14/04 14:36:10.099 | LogonMonitor.cpp(293) | 1920 | DBG | Firing logon event: sessionid=0 UserSID=S-1-5-21-4199684475-1426916888-3933129214-1105 subscriber cookie=2
14/04 14:36:10.099 | PolicyManager.cpp(205) | 1920 | NONE | CPolicyManager:nLogonEvent - starting
14/04 14:36:10.099 | PolicyManager.cpp(222) | 1920 | NONE | Activating policies for user: sessionid=0 sid=S-1-5-21-4199684475-1426916888-3933129214-1105
14/04 14:36:10.099 | PolicyManager.cpp(261) | 1920 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1105' - starting
14/04 14:36:10.099 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - starting
14/04 14:36:10.099 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.099 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.099 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'S:\iTunes\32 Bit\itunessetu.exe' -> 'S:\iTunes\32 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:36:10.099 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.099 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.099 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.099 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.108 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.108 | ActiveAction.cpp(65) | 1920 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.108 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=00FA5B34-87CB-4132-98FE-31219C70E063; actionId=0 - succeeded (10 ms)
14/04 14:36:10.108 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - starting
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.108 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'S:\' -> 'S:\' by NT AUTHORITY\SYSTEM
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.108 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (10 ms)
14/04 14:36:10.118 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.118 | ActiveAction.cpp(65) | 1920 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.118 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=2EDAFBEB-DCF7-4784-8CB2-A7639FDCCC16; actionId=0 - succeeded (10 ms)
14/04 14:36:10.118 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - starting
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.118 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'S:\iTunes\64 Bit\itunessetu.exe' -> 'S:\iTunes\64 Bit\itunessetu.exe' by NT AUTHORITY\SYSTEM
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.118 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (10 ms)
14/04 14:36:10.127 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'OR;' -> 'OR;' by NT AUTHORITY\SYSTEM
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.127 | ActiveAction.cpp(65) | 1920 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.127 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=EDD8EBC8-7418-4FCE-8D30-A0AC593FF582; actionId=0 - succeeded (10 ms)
14/04 14:36:10.127 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - starting
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.127 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: '*\ITunesSetup.exe' -> '*\ITunesSetup.exe' by TEST\xpuser
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.127 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.136 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'workstation;' -> 'workstation;' by TEST\xpuser
14/04 14:36:10.136 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.136 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.136 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'OR;' -> 'OR;' by TEST\xpuser
14/04 14:36:10.136 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - starting
14/04 14:36:10.136 | StringExpander.cpp(557) | 1920 | NONE | Adding environment strings to string expander - succeeded (0 ms)
14/04 14:36:10.136 | StringExpander.cpp(678) | 1920 | DBG | <<Expanded: 'xp;windows7;vista;' -> 'xp;windows7;vista;' by TEST\xpuser
14/04 14:36:10.136 | ActiveAction.cpp(65) | 1920 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
14/04 14:36:10.136 | PolicyManager.cpp(311) | 1920 | NONE | ActivateAction: policySid=S-1-5-21-4199684475-1426916888-3933129214-1105; policyId=F2BF1328-BAEA-42AE-B758-D8253DA8D720; actionId=0 - succeeded (10 ms)
14/04 14:36:10.136 | PolicyManager.cpp(261) | 1920 | NONE | ActivatePolicies: policySid='S-1-5-21-4199684475-1426916888-3933129214-1105' - succeeded (40 ms)
14/04 14:36:10.136 | PolicyManager.cpp(261) | 1920 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
14/04 14:36:10.136 | PolicyManager.cpp(261) | 1920 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
14/04 14:36:10.136 | PolicyManager.cpp(205) | 1920 | NONE | CPolicyManager:nLogonEvent - succeeded (40 ms)
14/04 14:36:10.136 | PolicyManager.cpp(158) | 1920 | NONE | CPolicyManager::Refresh - succeeded (50 ms)
14/04 14:36:10.136 | FsFilterLoader.cpp(96) | 1920 | NONE | OnEvent - starting
14/04 14:36:10.136 | FltDevRestrictionsManager.(51) | 1920 | DBG | driver has default config - skip driver load
14/04 14:36:10.136 | FsFilterLoader.cpp(96) | 1920 | NONE | OnEvent - succeeded (0 ms)
14/04 14:36:10.867 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 520; Parent: 564; Path: C:\WINDOWS\system32\userinit.exe; Params: <>
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:10.867 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:10.867 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:10.867 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:10.867 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.402 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 2024; Parent: 684; Path: C:\WINDOWS\system32\imapi.exe; Params: <>
14/04 14:36:12.402 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.412 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.412 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.412 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.412 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.412 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.412 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.412 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.412 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.412 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.412 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.412 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.412 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.412 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.412 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.412 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.412 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.412 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.412 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.412 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.412 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.412 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.412 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.421 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.421 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.421 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.421 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.421 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:12.421 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:12.421 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\imapi.exe 1 0
14/04 14:36:12.421 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:12.421 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 376; Parent: 1212; Path: S:\iTunes\32 Bit\iTunesSetu.exe; Params: <>
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 1 0
14/04 14:36:14.150 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:14.150 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'S:\iTunes\32 Bit\iTunesSetu.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 0 -2147024893
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:14.150 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:14.150 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match S:\iTunes\32 Bit\iTunesSetu.exe 1 0
14/04 14:36:14.150 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:14.150 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'S:\iTunes\32 Bit\iTunesSetu.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:14.150 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:18.465 | ProcessingStageEvent.h(121) | 1844 | DBG | Stop process event created (PID: 2024)
14/04 14:36:20.877 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 2020; Parent: 376; Path: C:\WINDOWS\system32\msiexec.exe; Params: </i "C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi">
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(287) | 1844 | DBG | AppSec: Matching msi path: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(354) | 1844 | DBG | AppSec: Matching process folder: 'C:\WINDOWS\system32\' and 'S:\' (Recursive): NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(374) | 1844 | DBG | AppSec: Matching msi folder: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\' and 'S:\' (Recursive): NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(287) | 1844 | DBG | AppSec: Matching msi path: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(287) | 1844 | DBG | AppSec: Matching msi path: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\msiexec.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(287) | 1844 | DBG | AppSec: Matching msi path: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(354) | 1844 | DBG | AppSec: Matching process folder: 'C:\WINDOWS\system32\' and 'S:\' (Recursive): NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(374) | 1844 | DBG | AppSec: Matching msi folder: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\' and 'S:\' (Recursive): NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\msiexec.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(287) | 1844 | DBG | AppSec: Matching msi path: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:20.877 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:20.877 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:20.877 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\msiexec.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:20.877 | LUAFilterRules.cpp(287) | 1844 | DBG | AppSec: Matching msi path: 'C:\DOCUME~1\xpuser\LOCALS~1\Temp\IXP234.TMP\iTunes.msi' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:20.877 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 1436; Parent: 684; Path: C:\WINDOWS\system32\msiexec.exe; Params: </V>
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.609 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.609 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.609 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.609 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 1572; Parent: 1436; Path: C:\WINDOWS\system32\msiexec.exe; Params: <-Embedding 034E52BBC0F4D722A7D0548EC920E951 C>
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:21.701 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:21.701 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\msiexec.exe 1 0
14/04 14:36:21.701 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:21.701 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 1720; Parent: 564; Path: C:\WINDOWS\system32\userinit.exe; Params: <>
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:24.957 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:24.957 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\userinit.exe 1 0
14/04 14:36:24.957 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': NO MATCH
14/04 14:36:24.957 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:25.013 | ProcessingStageEvent.h(121) | 1844 | DBG | Stop process event created (PID: 1720)
14/04 14:36:34.369 | ProcessingStageEvent.h(121) | 1844 | DBG | Stop process event created (PID: 352)
14/04 14:36:43.260 | ProcessingStageEvent.h(121) | 1844 | DBG | Stop process event created (PID: 1572)
14/04 14:36:43.361 | ProcessingStageEvent.h(121) | 1844 | DBG | Stop process event created (PID: 2020)
14/04 14:36:43.471 | ProcessingStageEvent.h(121) | 1844 | DBG | Stop process event created (PID: 376)
14/04 14:36:48.468 | ProcessingStageEvent.h(117) | 1844 | DBG | New process event created (PID: 284; Parent: 1212; Path: C:\WINDOWS\system32\notepad.exe; Params: <C:\Documents and Settings\All Users\Application Data\Privilege Authority\Logs\CSEHostEngine.log>
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\notepad.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(354) | 1844 | DBG | AppSec: Matching process folder: 'C:\WINDOWS\system32\' and 'S:\' (Recursive): NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\notepad.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\notepad.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\notepad.exe' and 'S:\iTunes\32 Bit\itunessetu.exe': NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(354) | 1844 | DBG | AppSec: Matching process folder: 'C:\WINDOWS\system32\' and 'S:\' (Recursive): NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\notepad.exe' and 'S:\iTunes\64 Bit\itunessetu.exe': NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
14/04 14:36:48.468 | LUAFilterRules.cpp(158) | 1844 | DBG | NotInternalProcessRule::Match result:1
14/04 14:36:48.468 | LUAFilterRules.cpp(108) | 1844 | DBG | FileAccessRule::Match C:\WINDOWS\system32\notepad.exe 1 0
14/04 14:36:48.468 | LUAFilterRules.cpp(138) | 1844 | DBG | AppSec: Matching process SID: 'S-1-5-21-4199684475-1426916888-3933129214-1105' and 'S-1-5-21-4199684475-1426916888-3933129214-1105': MATCH
14/04 14:36:48.468 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'C:\WINDOWS\system32\notepad.exe' and '*\ITunesSetup.exe': NO MATCH
14/04 14:36:48.468 | NewProcessEvtFilter.cpp(119) | 1844 | DBG | Filter matching result 0
George Plummer (ScriptLogic)User is Offline
Posts:125

--
14 Apr 2011 11:10 PM  
Somewhere down towards the bottom is this line:

14/04 14:32:55.437 | LUAFilterRules.cpp(278) | 2500 | DBG | AppSec: Matching process path: 'S:\iTunes\64 Bit\iTunesSetu.exe' and '*\ITunesSetup.exe': NO MATCH

If you had spelt the rule correctly then this should match and the process should be elevated. Correct it and see how it goes.
George Plummer (ScriptLogic)User is Offline
Posts:125

--
14 Apr 2011 11:14 PM  
And again in the 2nd log is this line:
14/04 14:36:14.150 | LUAFilterRules.cpp(278) | 1844 | DBG | AppSec: Matching process path: 'S:\iTunes\32 Bit\iTunesSetu.exe' and '*\ITunesSetup.exe': NO MATCH

Rename the file and it should work
ShaneUser is Offline
New Member
New Member
Posts:15

--
15 Apr 2011 01:16 AM  
Did you read my post above - This is the log from windows 7. take in mind, I know the p is missing from the "itunessetu.exe" file

I am also testing another rule that allows user to install depending on file name. All the paths and file names are correct with the missing "p"

The itunessetu.exe with the missing P is done purposely. I am testing a different rule connected to a different GPO by renaming install files. The path and folder shouldn't matter what name when I have the whole path set to admin correct?

Am I looking wrong?
ShaneUser is Offline
New Member
New Member
Posts:15

--
18 Apr 2011 06:05 PM  
?
George Plummer (ScriptLogic)User is Offline
Posts:125

--
18 Apr 2011 10:03 PM  
As I said previously, your file rule appears to be working correctly, but you need to rename your file back.

The folder rule I will investigate.
ShaneUser is Offline
New Member
New Member
Posts:15

--
19 Apr 2011 05:38 PM  
Ok, something is not clear here so I will give further detail on my issue –
I have 4 rules – Governing 2 GP’s

GP 1 named iTunes

Rule #1 – “By Path to the Executable”
Path – “*\ITunesSetup.exe”
Security Groups – Administrators

GP2 named Allowed Shared Drive
Rule #2 – “By Folder Path”
Path – “S:\”
Security Groups – Administrators, Domain Admins
Rule #3 – “By Path to Executable”
Path – “S:\iTunes\32 Bit\itunessetu.exe” - this is for 32 bit clients
Security Groups – Administrators, Domain Admins
Rule #4 – “By Path to Executable”
Path – “S:\iTunes\64 Bit\itunessetu.exe”
Security Groups – Administrators, Domain Admins

As you can see, by the way the rules are laid out, it shouldn’t matter with the name, hence I was testing different scenarios on if a user renamed a file, would it allow it to install.

Rule #1 governs GP #1 which states the file name “itunessetup.exe” can be installed

Rule #2, #3, #4 govern GP #2 which says “ANY” file within the shared S:\ Drive can be installed. I Purposely renamed the “itunessetup.exe” file to “itunessetu.exe” and put it on the S drive to be installed. Users cannot. So per my rules, “ANY” file on my S drive should be allowed to be installed. Whether it is named “itunessetup.exe”, “it.exe”, “tunes.exe”, etc.
How is renaming the file going to change the permissions that are supposed to be pushed down from rules 2, 3, and 4 when the file name they are installing is explicitly defined in the rule?
Same with the first rule, it is explicitly defined by file name. The 2 GOS are governed by completely separate rules with the file names being defined by spelling. This should work how it is setup.

Thank you for your help. This is kind of confusing!



George Plummer (ScriptLogic)User is Offline
Posts:125

--
20 Apr 2011 08:10 AM  
We have discovered that there is an issue when using mapped drives, and this is obviously the cause of your problem. So your folder rule is not going to work for s:\. It will work if you use a full UNC path. We are resolving this issue and will make is available ASAP. Sorry about the confusion.
ShaneUser is Offline
New Member
New Member
Posts:15

--
21 Apr 2011 11:41 PM  
I just tested with UNC instead of Mapped Drive, you are right, it worked. But You wont typically map a drive via UNC from GP, it will be mapped to a drive. Do you have an ETA?
ShaneUser is Offline
New Member
New Member
Posts:15

--
02 May 2011 07:28 PM  
Any thoughts?
George Plummer (ScriptLogic)User is Offline
Posts:125

--
03 May 2011 07:31 AM  
This should be out within the next week.
ShaneUser is Offline
New Member
New Member
Posts:15

--
17 May 2011 11:15 PM  
Hello, any news on this as of yet?
George Plummer (ScriptLogic)User is Offline
Posts:125

--
18 May 2011 09:13 AM  
Targeted for the start of next week.
ShaneUser is Offline
New Member
New Member
Posts:15

--
25 May 2011 10:42 PM  
Any word on this as of yet?
You are not authorized to post a reply.
Page 1 of 212 > >>
Forums > Privilege Authority Community Forum > General Privilege Authority Discussion
Active Forums 4.2