deviceTRUST 19.3.200 is now available. See the release notes for more information.

deviceTRUST Product Events

deviceTRUST delivers information about its runtime behavior to the Windows Event Log for easy integration into existing Security Information and Event Management (SIEM) and reporting solutions. This information includes detailed properties of the remote device during user logon, reconnect, and also includes all properties that are changed whilst the user session is active.

deviceTRUST/Admin Channel

The ADMIN channel can be found within the Windows Event Log under APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN, or queried programmatically using the deviceTRUST/Admin channel. The following events are included:

Event ID Name Type Data Format Name Description
1 Service Started Information Service Status The ‘dthost’ service has started.
2 Service Stopped Information Service Status The ‘dthost’ service has stopped.
11 License Validated Information License The license has been read, is valid, and is not yet expired, or within the expiry threshold (30 days). The license is read on service startup, and any time a new license is deployed by Group Policy.
12 Hard License Expires Soon Warning License The license is a hard license, is valid, but it expires within the expiry threshold (30 days). Since the license is a hard license, the software will stop functioning once the expiry date is reached.
13 Soft License Expires Soon Warning License The license is a soft license, is valid, but it expires within the expiry threshold (30 days). Since the license is a soft license, the software will continue to function after the expiry date is reached.
14 Soft License Expired Error License The license is a soft license, is valid, but has expired. Since the license is a soft license, the software will continue to function.
15 Hard License Expired Error License The license is a hard license, is valid, but has expired. Since the license is a hard license, the software will not function.
16 License Invalid Error License Invalid The license does not exist or contains invalid data.
101 Logon Information Connection A user successfully logged onto a new session.
102 Reconnect Information Connection A user successfully reconnected to an existing session.
103 Logoff Information Session A user which previously successfully logged onto a session was logged off.
104 Disconnect Information Session A user which previously successfully logged onto a session was disconnected from that session.
105 Property Changed Information Property Changed One or more properties of the host or remote connected device were added, removed or changed.
111 Untrusted Device Blocked Warning Untrusted Device Blocked A user attempted to logon or reconnect to an existing session, but the deviceTRUST Client failed to provide properties of the remote connected device, and the policy determines that this information is required.
112 Trusted Device Blocked Warning Trusted Device A trusted device, i.e. a device with the deviceTRUST Client installed, was blocked from access due to not meeting version or encryption minimum requirements.
113 Trusted Device Auto Update Succeeded Information Trusted Device Auto Update A trusted device was successfully auto-updated.
114 Trusted Device Auto Update Failed Error Trusted Device Auto Update Failed A trusted device failed to auto-update.
201 Trigger Executed Information Trigger A trigger configured by policy, was executed.
202 Trigger Succeeded Information Trigger Succeeded A trigger finished executing and the process did not report an error.
203 Trigger Failed Error Trigger Failed A trigger finished executing, but the process either timed out or reported an error.
301 Access Allowed Information Access Allowed Access to the shell was allowed by a call to dtcmd.exe ACCESS /operation:allow.
302 Access Denied Warning User Message Access to the shell was denied by a call to dtcmd.exe ACCESS /operation:deny.
303 Access Failed Error Access Failed A request to change access to the shell failed.
304 Popup Shown Information User Message A popup message was displayed on the shell.
311 Event Info Information Event A custom information event was created by a call to dtcmd.exe EVENT /level:info.
312 Event Warning Warning Event A custom warning event was created by a call to dtcmd.exe EVENT /level:warning.
313 Event Error Error Event A custom error event was created by a call to dtcmd.exe EVENT /level:error.
321 AppLocker Rule Information AppLocker Rule An AppLocker rule was applied as a result of a call to dtcmd.exe APPLOCKER
322 AppLocker Rule Failed Error AppLocker Rule Failed An AppLocker rule failed to apply.
331 Application Terminated Information Application Terminated An application was terminated because a user failed to close an application following a call to dtcmd.exe APPTERMINATE.
332 Application Shutdown Information Application Shutdown A user was asked to shutdown an application following a call to dtcmd.exe APPTERMINATE.
341 Popup Shown Information Popup Shown A popup message was shown to the user.
342 Popup Failed Error Popup Failed An attempt to display a popup message to the user failed.
351 Registry Updated Information Registry Updated The registry was updated.
352 Registry Warning Warning Registry Warning A warning was generated while updating the registry.
353 Registry Failed Error Registry Failed An attempt to update the registry failed.
361 Printer Mapped Information Printer Operation Printers were successfully mapped.
362 Printer Map Failed Error Printer Operation Failed An attempt to map printers failed.
363 Printer Unmapped Information Printer Operation Printers were successfully unmapped.
364 Printer Unmap Failed Error Printer Operation Failed An attempt to unmap printers failed.
365 Printer Set Default Information Printer Operation A printer was set as default.
366 Printer Set Default Failed Error Printer Operation Failed An attempt to set a default printer failed.
371 App Masking Update Information App Masking Update A Microsoft FSLogix App Masking update was successfully applied.
372 App Masking Update Failed Error App Masking Update Failed A Microsoft FSLogix App Masking update failed.

The above events report the following event data:

Name Field Name (Index) Format Description
Name (1) TEXT The name of the service, e.g. deviceTRUST Host Service.
CustomerId (1) GUID An identifier that uniquely identifies the customer.
  LicenseId (2) GUID An identifier that uniquely identifies the license.
  IssueDate (3) SYSTEMTIME The date that the license was issued.
  ExpiryDate (4) SYSTEMTIME The date that the license expires.
  Type (5) TEXT The type of license, e.g. Subscription.
  Quantity (6) INT The quantity of units that can consume a license.
  Unit (7) TEXT The unit of license, e.g. User.
  Days (8) INT The number of days remaining on the license.
Message (1) TEXT A description of the reason why the license is invalid.
LogonId (1) GUID Uniquely identifies events from the same logon session. By filtering on this field, all events related to a single logon session can be determined.
  LogonTime (2) SYSTEMTIME The time that the user logged onto the session.
  ConnectedId (3) GUID Uniquely identifies events from the same connection. Unlike the LogonId, the value of this field changes every time a new connection is established to an existing session.
  ConnectedTime (4) SYSTEMTIME The time that the user logged on, or reconnected, to the session.
  SessionId (5) INT The session id that the user is connected to.
  UserName (6) TEXT The name of the user logged into the session.
  UserDomain (7) TEXT The domain of the user logged into the session.
  UserSID (8) TEXT The security identifier of the user logged into the session.
DeviceId (9) TEXT Uniquely identifies the remote connected device. All activity originating from the same device can be queried by filtering on this field. This field is blank for local console sessions.
  DeviceName (10) TEXT The name of the remote connected device. This field is blank for local console sessions.
  DeviceOS (11) TEXT The operating system of the remote connected device. This field is blank for local console sessions, and if the deviceTRUST Client did not provide details of the operating system.
  Properties (12) TEXT A textual representation of all properties, including host and device properties. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
  Contexts (13) TEXT A textual representation of all contexts. The contexts are formatted with the name and value separated by an equals symbol (=), and multiple contexts separated by a newline (\n) character. E.g. CONTEXT1=VALUE1\nCONTEXT2=VALUE2\n
  Errors (14) TEXT A description of any errors that occurred whilst obtaining properties.
  Timings (15) TEXT Lists the five deviceTRUST Host and Client property providers that took the longest to return, in milliseconds.
  Duration (16) INT The number of milliseconds it took for all deviceTRUST property providers to return.
AddedProperties (9) TEXT A textual representation of all properties that were added. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
  RemovedProperties (10) TEXT A textual representation of all properties that were removed. The properties are formatted with the name of each property, with multiple properties separated by a newline (\n) character. E.g. PROPERTY1 \nPROPERTY2 \n
  ChangedProperties (11) TEXT A textual representation of all properties that were changed. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
  PreviousProperties (12) TEXT A textual representation of the previous value of all properties that were changed or removed. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
ClientName (9) TEXT The Operating System reported name of the connecting device.
ClientName (9) TEXT The deviceTRUST Client reported name of the connected device.
  ClientVersion (10) TEXT The version number of the deviceTRUST Client on the remote device.
  MinimumVersion (11) TEXT The minimum version of the deviceTRUST Client as defined by policy.
  Encrypted (12) BOOLEAN Set to true when application level encryption was used in addition to the encryption offered by the underlying protocol.
AutoUpdateUrls (13) TEXT The auto-update URLS that were used to upgrade the deviceTRUST Client.
ErrorMessage (14) TEXT An error message reported by the upgrade of the deviceTRUST Client.
TriggerName (9) TEXT The name of the trigger, e.g. Logon, Logoff, Reconnect, Disconnect, PropertyChanged.
  TriggerType (10) TEXT The type of the trigger, e.g. Executable, Batch or PowerShell.
  CommandLine (11) TEXT The command line process executed.
  RunAs (12) TEXT Either ‘USER’ or ‘SYSTEM’, depending upon the configuration of the trigger that was executed.
  Identity (13) TEXT The user name of the process.
  Pid (14) INT The Process ID of the triggered process.
Duration (15) INT The time taken for the process to complete, in milliseconds.
Duration (15) INT The time taken for the process to complete, in milliseconds.
  Error (16) TEXT An error message explaining why the process failed.
Title (9) TEXT A message title displayed to the user.
  Message (10) TEXT The message displayed to the user.
  Timeout (11) INT The timeout period that the message is displayed to the user.
Message (9) TEXT The message reported by a call to dtcmd.exe ACCESS.
Reason (9) TEXT The reason that a call dtcmd.exe ACCESS failed.
  Message (10) TEXT The message supplied to a call to dtcmd.exe ACCESS that would have been displayed to the user if the call succeeded.
  Timeout (11) INT The timeout period that the user would have had before being disconnected from the session, if the call to dtcmd.exe ACCESS succeeded.
Message (9) TEXT A user supplied message from a call to dtcmd.exe EVENT.
Name (9) TEXT The name of the rule, as supplied to dtcmd.exe APPLOCKER.
  Action (10) TEXT The action of the AppLocker rule, either Allow, Deny or Delete.
  Type (11) TEXT The type of the AppLocker rule, either Executable, Dll, Installer, Script or Package.
  Rule (12) TEXT The AppLocker XML fragment that defines the rule.
Name (9) TEXT The name of the rule, as supplied to dtcmd.exe APPLOCKER.
  Action (10) TEXT The action of the AppLocker rule, either Allow, Deny or Delete.
  Type (11) TEXT The type of the AppLocker rule, either Executable, Dll, Installer, Script or Package.
  Message (12) TEXT A message explaining why the rule failed to apply.
Title (9) TEXT The title displayed to the user following a call to dtcmd.exe APPTERMINATE.
  Message (10) TEXT The message displayed to the user following a call to dtcmd.exe APPTERMINATE.
  Applications (11) TEXT A comma separated list of all processes and their PID’s that were terminated.
Termination Time (12) DATE/TIME The time that the applications will be terminated.
Title (9) TEXT The popup title.
  Message (10) TEXT The popup message.
  Timeout (11) INT The timeout in seconds to display the popup.
Reason (9) TEXT The reason that the popup failed to shown.
  Title (10) TEXT The popup title.
  Message (11) TEXT The popup message.
  Timeout (12) INT The timeout in seconds to display the popup.
Values (9) TEXT The registry values.
  Persist (10) TEXT How to persist the registry values.
  Protect (11) BOOLEAN Whether the registry key is protected.
Warnings (12) TEXT The warning messages generated by the update.
Source (9) TEXT The source of the registry update.
  Reason (10) TEXT The reason the registry update failed.
Printer (9) TEXT The path to the printers.
Reason (10) TEXT The reason that the printer operation failed.
Path (9) TEXT The path to the Microsoft FSLogix App Masking Rule Assignment file.
  Operation (10) TEXT The type of operation.
  Entry (11) TEXT The entry to apply to the file.
Error (12) TEXT The reason that the Microsoft FSLogix App Masking update failed.

deviceTRUST/Usage Channel

The USAGE channel can be found within the Windows Event Log under APPLICATION AND SERVICE LOGS\DEVICETRUST\USAGE, or queried programmatically using the deviceTRUST/Usage channel. The following event is included.

Event ID Name Type Data Format Name Description
21 Usage Information Usage Raised when a license unit, e.g. a User, logs into the host for the first time within a calendar month.

The above event reports the following event data:

Name Field Name (Index) Format Description
TrackingId (1) TEXT Uniquely identifies the license unit, e.g. the User, that logged in. For a user, this is a Base64 encoded SHA256 hash of the user’s security identifier.
  TrackingName (2) TEXT The name of the license unit that logged in, e.g. the user name.
  TrackingUnit (3) TEXT The unit of license, e.g. User.