Event Monitor Service for Windows

Martin Brinkmann
Mar 3, 2016

Event Monitor Service is a free (for personal use) program for Windows that monitors important system events such as file deletions or Registry changes.

As the name suggests, a service is installed when you hit the supplied install.bat batch file which starts to operate as soon as it has been created.

There is also an uninstall.bat file which you can make use of to remove the service again from operating systems it was installed on previously.

The download archive provides installers for 32-bit and 64-bit versions of Windows, and general compatibility starts with Windows Vista all the way up to Windows 10.

Event Monitor Service review

Before you run the installer, you may want to check the config.ini file which you find in the service directory as it defines what is being monitored and logged, and what is not among other things.

event monitor service

The service is configured to monitor all supported events and locations of the operating system by default which you can change by replacing the "y" in a line with a "n".

The following events and locations are monitored by Event Monitor Service:

  1. File Creations
  2. File Deletions
  3. PE Image Drops
  4. Loaded Drivers
  5. Process Creations
  6. Process Terminations
  7. Loaded DLLs
  8. Registry

You may  furthermore change the default path the logs are stored in, and add exclusions for folders and Registry locations that you don't want monitored by the service.

If you don't change the paths, you need to copy the entire EMSvc folder to c: root, right-click on the installer file and select run as administrator from the options to install the service successfully.

Changing the paths allows you to install it from any other directory on the system and define where the log files will be stored in.

Check the Logs > Date folder to make sure the service is monitoring events correctly. There you should fine a log file for each of the monitored events which you can open in any plain text viewer, editor, or specialized log file reader.

Note: There is no option to stop the monitoring easily. What you can do is stop the service using the Services Manager. Tap on the Windows-key, type services.msc and hit enter. Locate the service called EMS, right-click on it and select Stop or Disable from the context menu. Alternatively, right-click on the uninstall.bat file and select "run as administrator" to remove the service entirely from the system.

The log files can grow quickly in size depending on how the computer is being used.

event logs

The logs list each event by date and time, and provide detailed information about the actual event, for instance the process that created a new file, and the full path and name of that file, or the type of Registry operation, the process that caused it, and the key that was created, changed or deleted from the Windows Registry.

Closing Words

Event Monitor Service ships without user interface but runs as a background service which means that it supports standard user accounts and multi-user environments among other things.

The logs can be useful even on home systems, for instance to analyze a software installation or malware attack on the system.

If you prefer monitoring programs with interfaces, try Registry Alert for monitoring the Windows Registry, and File Watcher Simple for monitoring file changes in specific folders.

software image
Author Rating
1.5 based on 4 votes
Software Name
Event Monitor Service
Operating System
Software Category
Landing Page

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Joao Ricardo said on November 19, 2018 at 6:08 pm

    I do not recommend this. It made my Windows 10 PC so slow I had to literally load an older system image from the Safe Mode Boot because I could no longer use the Task Manager, File Explorer, etc.
    I could not even delete files/folders and my laptop is VERY good w/ 12GB RAM, 256GB SSD and an i7-8550U….

    tl;dr NO

  2. cybernard said on March 8, 2016 at 4:17 pm

    If you want to monitor windows properly use

  3. Rotten Scoundrel said on March 3, 2016 at 6:04 pm

    Very simple actually, start here…

    1. apo00axc said on March 3, 2016 at 7:53 pm

      No, it uses code hooking and kernel driver for logging events, much better and effective.

  4. goddert said on March 3, 2016 at 3:31 pm

    System load? Considered that it puts its fingers on nearly everything and I don’t how it gets its information it would be interesting to know … Other similar tools are quite expensive concerning this.

    1. Martin Brinkmann said on March 3, 2016 at 3:50 pm

      Surprisingly low. I did not run the service for a long time but did not notice cpu or memory spikes while it was monitoring the system actively (all areas).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.