The System Change Log service monitors your disks for changes, and records a detailed log of file activity separate from the
regular Windows event logs. System Change Log allows easy security review of changes to your critical files without wading
through the extraneous and cryptic Event Viewer audit records generated by standard system auditing.
System Change Log works with or without Windows's auditing enabled to record file and folder creation, deletion, modification, renaming,
and security descriptor changes. If standard auditing is enabled, System Change Log can also report the user account of the person making the change
(see the information on the Track User Information option below).
The System Change Log Control Panel applet lets you easily configure all aspects of SCL's activities, including which
types of events to monitor. See at a glance and control what is being monitored on your system without painstakingly using Explorer or other tools to
apply individual audit attributes to the desired disks or directories!
The System Change Log is kept in standard text format so it can be easily archived or imported into other programs such as custom
databases or spreadsheets for analysis. No need to bother with manually exporting log extracts, or worrying about reading incompatible Event Viewer
log formats on different versions of Windows.
Version 3.1: 32 or 64-bit Windows XP, 2003/R2, Vista, 2008/R2, 2012/R2, Win7, Win10, 2016.
Works with NTFS filesystems on locally-attached drives (not Dynamic Disks).
3.1.b.20100604 - Recommended upgrade; complete rewrite of the software to provide many new features
and enhanced performance. Supports x86/x64 Windows XP, 2003/R2, Vista, Server 2008/R2, and Windows 7.
(Win9x, NT, Win2000 are not supported in this version; use v2.4 on older systems.)
2.4.b.20060130 - Optional upgrade; fixed problem adding more than one custom device mapping,
enhanced debug output, added Event Viewer Timestamp Correction registry setting for
situations where Event Viewer timestamps can't be reconciled with system time (advanced
2.4.b.20051104 - Recommended upgrade; added internal code to compensate for problems with
Microsoft's common dialog boxes during path selection (could occasionally cause inability
to select a path); also added workaround for NT4 kernel problem where ReadDirectoryChangesW
returns an invalid pointer (if problem occurs in 20051104, it is noted in the log instead of
causing System Change Log to shut down).
2.4.b.20050929 - Recommended upgrade; incorporates many fixes and enhancements recommended by customers, including
more reliable audit record lookups. Added support for XP 64-bit Edition and Windows 2003 64-bit (download the AMD64
files to run on either of these operating systems).
2.3.b.xxxxxxxx - Internal use/beta test only.
2.2.b.20050217 - Optional upgrade; added "Debug Mode" registry parameter and enhanced debugging output if Debug Mode is
set to TRUE. No other changes.
2.2.b.20040308 - Recommended upgrade for 2000/XP/2003 users. Added code to identify changes on dynamic
volumes as well as basic volumes, and increased accuracy and speed of "Whodunnit" lookups.
2.2.b.20020329 - Added security-change monitoring. Added audit record lookup to provide the username and
access method (local or network) of the person responsible for a change (requires auditing to be
enabled for the monitored event in the monitored directory). Rearranged control panel applet and
added default exclusions appropriate for Windows 2000 and XP. Fixed bug that could cause access denied
(sharing violation) errors when creating or renaming directories in a watched path.
2.1.b.20001111 - major enhancements: monitors all disks, wildcard exclusion list, log viewer,
better logging, new interface.
1.2.b.19990510 - Alpha version released.
1.1.b.970323 - first public release.
1.0.b.970202 - internal use release. Basic functionality established.
Setup & Installation
Download the software distribution .zip file from the Greyware website. Unzip the contents to a new, blank folder on your machine
- do not extract to the Desktop or a shared Temp folder to avoid extraction file conflicts.
System Change Log runs as a system service. You must be logged on using an account with administrative privileges to install or remove the service.
The distribution includes setup files for both 32-bit (x86) and 64-bit Windows (x64), each located in their respective folders.
There is a Setup.exe file located the root folder of the distribution that will automatically determine the correct
version. Run this file to start the Setup utility and click the Install button.
Note: If User Account Control (UAC)
is enabled, you may need to right-click the Setup utility icon and choose Run as Administrator to aquire the necessary rights.
If System Change Log is already installed, the Install button will not
be present. Instead, setup will present an Upgrade button.
If older versions of any of the distribution files
already exist on your machine, the program will upgrade them automatically when you
In some cases, it may be necessary for you to reboot your machine to complete
installation or an upgrade. If so, you will be prompted to restart.
System Change Log installs to the system directory (usually c:\windows\system32).
Run setup.exe again, and click the Remove button on the setup dialog.
You may also run scl.exe /remove from the system directory. The Remove
button will only be enabled if setup determines that the service is already installed.
To upgrade to a new version, download and unzip the new version to a temporary
directory. Double-click the new setup.exe and click the Upgrade button.
The Upgrade button will only be visible if setup determines that an older version
of the service is already installed. Otherwise, only the Install and Remove
buttons will be shown.
Although not generally needed, you may specify the following command-line options when
running the setup.exe file that matches your operating system (x86 or x64) from the distribution folders
or the installed scl.exe located in the Windows System32 folder.
You may use a dash or a forward slash before the option. Slashes
are shown below for clarity. Options may also be specified by just the first letter.
scl.exe /version or setup.exe /version -- displays the program's version and copyright information.
setup.exe /install -- forces installation.
scl.exe /remove or setup.exe /remove-- forces removal.
scl.exe /foreground -- (only if supported) runs the program in the foreground.
setup.exe /upgrade -- upgrade to newer version without removing and reinstalling.
To assist with automated installations, the program also supports the /quiet command-line switch.
You may use the /quiet switch in conjunction with /remove, /install, or /upgrade.
When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered;
otherwise, the program performs the requested function and exits immediately. This feature makes it easy to
handle installations or upgrades network-wide with a simple batch file.
Administrative Options and Remote Installation
Remote Install or Removal
The setup program, setup.exe allows you to specify parameters on the command line for remote installation
setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
setup -remove \\barney would remove the service from the machine \\barney
setup -install -quiet would install the service onto the local machine without any prompts
setup -remove -quiet would remove the service from the local machine without any prompts
Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples
using \\fred and \\barney), both the machine you are working on and the target machine must be logged on
under an account that has administrative privileges on the target machine.
System Change Log runs as a background system service. You configure the options for the service by using the System Change Log Control Panel Applet (click the icon found in the Control Panel).
Note: If User Account Control (UAC) is enabled on your system, you may need to right-click the System Change Log icon in the Control Panel and choose Run as Administrator to open the applet.
Note: Changes you make on the applet will not take effect until you click the Apply button.
Click the Add button to add a specific path or drive to the list of monitored paths.
Click the Remove button to remove the highlighted path or drive.
When you select a folder, subdirectories are always included, so an entry of C:\ means your entire C: drive.
Important: You should only monitor the drives and paths where you need the information. Monitoring all
activities on all drives can slow down your system and fill up your log files. Adjust the entries in this box to match your actual monitoring requirements.
If checked, System Change log will record a log entry for the following events:
Due to the way Windows handles file activity internally, System Change Log can only report the name of a user account or program
that makes a change if the success reporting function of Windows Files/Folders security auditing is enabled for the monitored path(s).
Fortunately, System Change Log handles the complexity of enabling the right kind of auditing for you. This dialog displays the current
status of the three tasks necessary to successfully track user information. If any item is set incorrectly, click the Fix button to remedy it.
Note: If you add new paths to the Monitored Path list, you will need to Fix
the Specific File and Folder auditing... item to be sure it is enabled properly for the new paths.
Next, click the Files tab to bring up the Includes and Excludes dialog box:
Use this function if you want to tell System Change Log to monitor files by the file type (extension) instead
of the default of monitoring all files in the monitored path(s).
Excluded Paths and Files
List paths or files, one per line, that you want System Change Log to ignore. You may use
wildcards (asterisks and question marks) as well as system variables (example, %systemroot% or %windir%).
Unlike DOS wildcards, you may use more than one wildcard per specification. Click the Help
button for syntax examples.
Write to Event Viewer: If checked, System Change Log will direct log entries to
the Event Viewer log.
Write to Log File: If checked, System Change Log will direct log entries to
the scl.log file in the %systemroot%\system32 directory (i.e. C:\winnt\system32\scl.log).
The default file location can be changed by editing the Registry. See Knowledgebase Article KB2002.329
Max Log Size: The maximum desired size of the scl.log file on disk. If this
is set to zero, the log file size is limited only by available free space on your disk. Any
other number specifies the size, in kilobytes, for the log file. The log file is checked
once each hour. If it exceeds the maximum specified size, the log is trimmed by removing
entries from the beginning of the file until it is smaller than the maximum specified size.
View Log Clicking this button will bring up the built-in System Change Log viewer, which lets you view log entries in real time.