FireDaemon Zero can optionally add log entries to the Windows Application Event Log that record significant events such as when a user interactively switches to or from Session 0.
By examining these event log entries, administrators can identify who switched to Session 0, reverted from Session 0, or was returned to their logged-in session.
Preference settings are available to enable or disable this event logging behaviour.
Configuration
The FireDaemon Zero Global Preferences section is used to configure system security and logging policies:
- In the System tray, right-click the FireDaemon Zero icon and select Options.
- Click Auditing.
- Use the checkboxes to enable or disable the corresponding logging action, then click OK.
The following table describes the entries that FireDaemon Zero will record in the Application Event Log in each circumstance. In all cases, the Source of the event is set to FireDaemon Zero.
| Action | Event ID | Task Category (ID) | Event Message | Level | Event User Information | Reporting FireDaemon Tool |
|---|---|---|---|---|---|---|
| Switches to | 0 | Session 0 (1) | User <user> switches to Session 0. | Information | <Session User> | FDZero Tray |
| Reverts from | 1 | Session 0 (1) | User reverts from Session 0 to their logged-in session. | Information | FDZero Tray | |
| Kicks out | 2 | Session 0 (1) | User <user> kicks Session 0. | Information | <Process User> | FDUI0Control |
| Takes control over (i.e. steals) | 3 | Session 0 (1) | User <user> takes control of Session 0. | Information | <Session User> | <Session User> |
| Returned to logged-on session, e.g. as a result of a timeout. | 4 | Session 0 (1) | User is returned to his or her logged-in session. | Information | FDUI0Shell | |
Notification (for Session 0):WTS_CONSOLE_CONNECTWTS_REMOTE_CONNECT | 4778 | Other Logon/ Logoff Events (3107) | Session 0 was reconnected to a Window Station. | Success | FDUI0Shell | |
Notification (for Session 0):WTS_CONSOLE_DISCONNECTWTS_REMOTE_DISCONNECT | 4779 | Other Logon/ Logoff Events (3107) | Session 0 was disconnected from a Window Station. | Success | FDUI0Shell |
FireDaemon Zero uses the following event categories:
| Event Category | Description |
|---|---|
| ID 1: Session 0 | “Session 0” is the event category that all FireDaemon products use when reporting Session 0 related events. |
ID 3107: Other Logon/Logoff Events | The “Other Logon/Logoff Events” category, together with specific event IDs, is used to imitate the entries that the Windows Security Auditing system reports. |