If System Change Log is already installed, the Install button will not be present. Instead, setup will present an Upgrade button. If older versions of any of the distribution files already exist on your machine, the program will upgrade them automatically when you select Upgrade. In some cases, it may be necessary for you to reboot your machine to complete installation or an upgrade. If so, you will be prompted to restart.

System Change Log installs to the system directory (usually C:\Windows\system32 or C:\WINNT\system32).

Removal
Run setup.exe again, and click the Remove button on the setup dialog. You may also run scl.exe /remove from the system directory. The Remove button will only be enabled if setup determines that the service is already installed.

Upgrading
To upgrade to a new version, download and unzip the new version to a temporary directory. Double-click the new setup.exe and click the Upgrade button. The Upgrade button will only be visible if setup determines that an older version of the service is already installed. Otherwise, only the Install and Remove buttons will be shown.

Command-line Options
Although not generally needed, you may specify the following command-line options when running setup.exe or scl.exe. You may use a dash or a forward slash before the option. Slashes are shown below for clarity. Options may also be specified by just the first letter.

• scl.exe /version or setup.exe /version -- displays the program's version and copyright information.
• setup.exe /install -- forces installation.
• scl.exe /remove or setup.exe /remove-- forces removal.
• scl.exe /foreground -- (only if supported) runs the program in the foreground.
• setup.exe /upgrade -- upgrade to newer version without removing and reinstalling.

To assist with automated installations, the program also supports the /quiet command-line switch. You may use the /quiet switch in conjunction with /remove, /install, or /upgrade. When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered; otherwise, the program performs the requested function and exits immediately. This feature makes it easy to handle installations or upgrades network-wide with a simple batch file.

Administrative Options and Remote Installation

• Remote Install or Removal
  The setup program, setup.exe allows you to specify parameters on the command line for remote installation or removal:

      setup [ -install | -remove | -upgrade ] [ -quiet ] [\\targetmachine]
          

  Examples
  

  • setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
  • setup -remove \\barney would remove the service from the machine \\barney
  • setup -install -quiet would install the service onto the local machine without any prompts
  • setup -remove -quiet would remove the service from the local machine without any prompts

  Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples using \\fred and \\barney), both the machine you are working on and the target machine must be logged on under an account that has administrative privileges on the target machine.

The System Change Log Control Panel Applet

Monitored Paths

By default, System Change Log will list all of your hard drives. Subdirectories are always included, so an entry of C:\ means your entire C: drive.

Important: You should only monitor the drives and paths where you need the information. Monitoring all activities on all drives can slow down your system and fill up your log files. Adjust the entries in this box to match your monitoring requirements.

Click the Add button to add a specific path or drive to the list of monitored paths. Click the Remove button to remove the highlighted path or drive.

Click the File Selections button to bring up the Includes and Excludes dialog box:


The Includes and Excludes dialog

Included Files


Use this function if you want to tell System Change Log to monitor files by the file type (extension) instead of the default of monitoring all files in the monitored path(s).

Excluded Paths and Files


List paths or files, one per line, that you want System Change Log to ignore. You may use wildcards (asterisks and question marks) as well as system variables (example, %systemroot% or %windir%).

Unlike DOS wildcards, you may use more than one wildcard per specification. Click the Help button for syntax examples.

Tracking Options

If checked, System Change log will record a log entry for the following events:

Track File Creations:
Track File Deletions:
Track File Changes:
Track File Renames:
Track NTFS Streams:
Track File Security Changes:


Track User Information:
Click this button to bring up the User Tracking dialog:


The User Tracking screen

Due to the way Windows handles file activity internally, System Change Log can only report the name of a user account that makes a change if the success reporting function of Windows Files/Folders security auditing is enabled for the monitored path(s).

The process of enabling local security auditing is slightly different for each operating system version. See these articles from the Microsoft Knowledgebase:


• NT 4
  
• Windows 2000
  
• Windows XP
• Windows Server 2003

For example, if you want to know the names of people making changes in a folder named C:\Accounting Data on a Windows XP system, follow the instructions from Microsoft for enabling overall auditing in the Microsoft knowledgebase articles mentioned above. In Windows 2K and XP, you first enable overall Object sucess editing using the Local Security Policy MMC snap-in found in Adminstrative Tools.


Enabling overall auditing in Windows XP

Then, using Explorer (or My Computer), right-click on the C:\Accounting Data folder to bring up its Properties and enable the specific events you want to audit. Your settings screen would look similar to this (check the boxes for only the types of activity you need):


Setting audit security in Windows XP

System Change Log only cares about success events (successful changes to the files), because it only monitors changes, and an unsuccessful attempt does not result in a change.

Important note: You should only enable auditing for the folders where you need the audit information, and you should only check the boxes for the kinds of information you really need. Auditing can slow down your system if it is used excessively, and can fill your event viewer logs with hundreds of records per second on a busy machine. There's no point in recording information you will never need.

Logging Options

• Write to Event Viewer:
  If checked, System Change Log will direct log entries to the Event Viewer log.
• Write to Log File:
  If checked, System Change Log will direct log entries to the scl.log file in the %systemroot%\system32 directory (i.e. C:\winnt\system32\scl.log). The default file location can be changed by editing the Registry. See Knowledgebase Article KB2002.329 for details.
• Max Log Size:
  The maximum desired size of the scl.log file on disk. If this is set to zero, the log file size is limited only by available free space on your disk. Any other number specifies the size, in kilobytes, for the log file. The log file is checked once each hour. If it exceeds the maximum specified size, the log is trimmed by removing entries from the beginning of the file until it is smaller than the maximum specified size.
• View Log
  Clicking this button will bring up the built-in System Change Log viewer, which lets you view log entries in real time.