Change Monitoring

Even a modest Windows desktop system can contain well over two hundred thousand files and half a million registry values. Change is constant on the system, and often the change is hidden from the end-user. A minor change to an executable or library file, especially in the case of a virus or worm, is often the only clue you have as an administrator that something has happened on the system.

Monitoring change on the file system and in the system registry is a vital discipline that substantially improves corporate security however within the Windows architecture it is, for all practical purposes, impossible to detect what was changed, much less who changed it and when.

Using WhatChanged, the change management module of EventTracker, a user can deploy powerful file and registry integrity monitoring to track hundreds of thousands of objects within a Windows system.

Features/Benefits of EventTracker-Change


  • Detection of cracked binaries
  • Vulnerability analysis and monitoring
  • Detection of undesired configurations
  • BOTnet and Zero Day attack analysis & monitoring


  • Maintain trail of unauthorized/authorized changes
  • Maintain history of configuration and system changes
  • Policy based conformance with compliance checklist
  • Meet PCI, FISMA, SOX, HIPAA, NERC, FDCC compliance in the area of Configuration Assessment


  • Improve Uptime by tightening configuration control
  • Software install monitoring
  • Rollback to a previously known restore point
  • Desktop change monitoring

How It Works

WhatChanged takes a quick, periodic snapshot of each system and compares it against either a master configuration snapshot of the correct configuration, or a comparison of some previous snapshot to monitor change over time. With WhatChanged system administrators can quickly detect critical clues to unauthorized changes on the system.

WhatChanged is fully integrated into the EventTracker framework. Detection by WhatChanged of a change policy violation will cause an event to be sent to the EventTracker console. These events can have rules and alerts configured, and reports and analysis run.

WhatChanged stores a record of all changes in a central repository. The central repository consists of highly compressed binary files and there are no additional hidden costs in the form of database licenses and time-consuming database administrative tasks. These stored change records can be used as a powerful forensic tool to go back and figure out just what happened after the fact.