Event Monitor Service for Windows

Event Monitor Service is a free (for personal use) program for Windows that monitors important system events such as file deletions or Registry changes.

As the name suggests, a service is installed when you hit the supplied install.bat batch file which starts to operate as soon as it has been created.

There is also an uninstall.bat file which you can make use of to remove the service again from operating systems it was installed on previously.

The download archive provides installers for 32-bit and 64-bit versions of Windows, and general compatibility starts with Windows Vista all the way up to Windows 10.

Event Monitor Service review

Before you run the installer, you may want to check the config.ini file which you find in the service directory as it defines what is being monitored and logged, and what is not among other things.

The service is configured to monitor all supported events and locations of the operating system by default which you can change by replacing the "y" in a line with a "n".

The following events and locations are monitored by Event Monitor Service:

1. File Creations
2. File Deletions
3. PE Image Drops
4. Loaded Drivers
5. Process Creations
6. Process Terminations
7. Loaded DLLs
8. Registry

You may  furthermore change the default path the logs are stored in, and add exclusions for folders and Registry locations that you don't want monitored by the service.

If you don't change the paths, you need to copy the entire EMSvc folder to c: root, right-click on the installer file and select run as administrator from the options to install the service successfully.

Changing the paths allows you to install it from any other directory on the system and define where the log files will be stored in.

Check the Logs > Date folder to make sure the service is monitoring events correctly. There you should fine a log file for each of the monitored events which you can open in any plain text viewer, editor, or specialized log file reader.

Note: There is no option to stop the monitoring easily. What you can do is stop the service using the Services Manager. Tap on the Windows-key, type services.msc and hit enter. Locate the service called EMS, right-click on it and select Stop or Disable from the context menu. Alternatively, right-click on the uninstall.bat file and select "run as administrator" to remove the service entirely from the system.

The log files can grow quickly in size depending on how the computer is being used.

The logs list each event by date and time, and provide detailed information about the actual event, for instance the process that created a new file, and the full path and name of that file, or the type of Registry operation, the process that caused it, and the key that was created, changed or deleted from the Windows Registry.

Closing Words

Event Monitor Service ships without user interface but runs as a background service which means that it supports standard user accounts and multi-user environments among other things.

The logs can be useful even on home systems, for instance to analyze a software installation or malware attack on the system.

If you prefer monitoring programs with interfaces, try Registry Alert for monitoring the Windows Registry, and File Watcher Simple for monitoring file changes in specific folders.

Advertisement