Version 3.1 is now available for download.

Runs on Windows XP, 2003/R2, Vista, 2008/R2, 2012/R2, Win7, Win10, 2016, and 2019

Easily monitor NTFS file systems for changes. Know what's changed and who did it.

Record only the security information you want without wading through hundreds of unwanted audit events!

Reports the user account or program making a change!

Keep detailed, easy-to-read logs of your choice (Text, CSV, Windows Event, Syslog)!

Automatically adjusts your Windows file auditing settings without having to wade through Local Security or Active Directory policies

The System Change Log service monitors your disks for changes, and records a detailed log of file activity separate from the regular Windows event logs. System Change Log allows easy security review of changes to your critical files without wading through the extraneous and cryptic Event Viewer audit records generated by standard system auditing.

System Change Log Control Panel Applet
System Change Log Control Panel Applet   [Click for larger size]

System Change Log works with or without Windows's auditing enabled to record file and folder creation, deletion, modification, renaming, and security descriptor changes. If standard auditing is enabled, System Change Log can also report the user account of the person making the change (see the information on the Track User Information option below).

The System Change Log Control Panel applet lets you easily configure all aspects of SCL's activities, including which types of events to monitor. See at a glance and control what is being monitored on your system without painstakingly using Explorer or other tools to apply individual audit attributes to the desired disks or directories!

The System Change Log is kept in standard text format so it can be easily archived or imported into other programs such as custom databases or spreadsheets for analysis. No need to bother with manually exporting log extracts, or worrying about reading incompatible Event Viewer log formats on different versions of Windows.

    Version 3.1: 32 or 64-bit Windows XP, 2003/R2, Vista, 2008/R2, 2012/R2, Win7, Win10, 2016.
    Works with NTFS filesystems on locally-attached drives (not Dynamic Disks).

    For support on older version of Windows, see the version 2.4 documentation page.

  • 3.1.b.20100604 - Recommended upgrade; complete rewrite of the software to provide many new features and enhanced performance. Supports x86/x64 Windows XP, 2003/R2, Vista, Server 2008/R2, and Windows 7. (Win9x, NT, Win2000 are not supported in this version; use v2.4 on older systems.)

  • 2.4.b.20060130 - Optional upgrade; fixed problem adding more than one custom device mapping, enhanced debug output, added Event Viewer Timestamp Correction registry setting for situations where Event Viewer timestamps can't be reconciled with system time (advanced use only).

  • 2.4.b.20051104 - Recommended upgrade; added internal code to compensate for problems with Microsoft's common dialog boxes during path selection (could occasionally cause inability to select a path); also added workaround for NT4 kernel problem where ReadDirectoryChangesW returns an invalid pointer (if problem occurs in 20051104, it is noted in the log instead of causing System Change Log to shut down).

  • 2.4.b.20050929 - Recommended upgrade; incorporates many fixes and enhancements recommended by customers, including more reliable audit record lookups. Added support for XP 64-bit Edition and Windows 2003 64-bit (download the AMD64 files to run on either of these operating systems).

  • 2.3.b.xxxxxxxx - Internal use/beta test only.

  • 2.2.b.20050217 - Optional upgrade; added "Debug Mode" registry parameter and enhanced debugging output if Debug Mode is set to TRUE. No other changes.

  • 2.2.b.20040308 - Recommended upgrade for 2000/XP/2003 users. Added code to identify changes on dynamic volumes as well as basic volumes, and increased accuracy and speed of "Whodunnit" lookups.

  • 2.2.b.20020329 - Added security-change monitoring. Added audit record lookup to provide the username and access method (local or network) of the person responsible for a change (requires auditing to be enabled for the monitored event in the monitored directory). Rearranged control panel applet and added default exclusions appropriate for Windows 2000 and XP. Fixed bug that could cause access denied (sharing violation) errors when creating or renaming directories in a watched path.

  • 2.1.b.20001111 - major enhancements: monitors all disks, wildcard exclusion list, log viewer, better logging, new interface.

  • 1.2.b.19990510 - Alpha version released.

  • 1.1.b.970323 - first public release.

  • 1.0.b.970202 - internal use release. Basic functionality established.

Setup & Installation
    Download the software distribution .zip file from the Greyware website. Unzip the contents to a new, blank folder on your machine - do not extract to the Desktop or a shared Temp folder to avoid extraction file conflicts.

    System Change Log runs as a system service. You must be logged on using an account with administrative privileges to install or remove the service.

    The distribution includes setup files for both 32-bit (x86) and 64-bit Windows (x64), each located in their respective folders. There is a Setup.exe file located the root folder of the distribution that will automatically determine the correct version. Run this file to start the Setup utility and click the Install button.

    Note: If User Account Control (UAC) is enabled, you may need to right-click the Setup utility icon and choose Run as Administrator to aquire the necessary rights.

    If System Change Log is already installed, the Install button will not be present. Instead, setup will present an Upgrade button. If older versions of any of the distribution files already exist on your machine, the program will upgrade them automatically when you select Upgrade. In some cases, it may be necessary for you to reboot your machine to complete installation or an upgrade. If so, you will be prompted to restart.

    System Change Log installs to the system directory (usually c:\windows\system32).

    Run setup.exe again, and click the Remove button on the setup dialog. You may also run scl.exe /remove from the system directory. The Remove button will only be enabled if setup determines that the service is already installed.

    To upgrade to a new version, download and unzip the new version to a temporary directory. Double-click the new setup.exe and click the Upgrade button. The Upgrade button will only be visible if setup determines that an older version of the service is already installed. Otherwise, only the Install and Remove buttons will be shown.

    Command-line Options
    Although not generally needed, you may specify the following command-line options when running the setup.exe file that matches your operating system (x86 or x64) from the distribution folders or the installed scl.exe located in the Windows System32 folder.

    You may use a dash or a forward slash before the option. Slashes are shown below for clarity. Options may also be specified by just the first letter.

    • scl.exe /version or setup.exe /version -- displays the program's version and copyright information.
    • setup.exe /install -- forces installation.
    • scl.exe /remove or setup.exe /remove-- forces removal.
    • scl.exe /foreground -- (only if supported) runs the program in the foreground.
    • setup.exe /upgrade -- upgrade to newer version without removing and reinstalling.

    To assist with automated installations, the program also supports the /quiet command-line switch. You may use the /quiet switch in conjunction with /remove, /install, or /upgrade. When the /quiet switch is specified, the program only displays dialog boxes if errors are encountered; otherwise, the program performs the requested function and exits immediately. This feature makes it easy to handle installations or upgrades network-wide with a simple batch file.

    Administrative Options and Remote Installation

    • Remote Install or Removal
      The setup program, setup.exe allows you to specify parameters on the command line for remote installation or removal:

          setup [ -install | -remove | -upgrade ] [ -quiet ] [\\targetmachine]


      • setup -upgrade \\fred would install the service (upgrading if necessary) onto the machine named \\fred
      • setup -remove \\barney would remove the service from the machine \\barney
      • setup -install -quiet would install the service onto the local machine without any prompts
      • setup -remove -quiet would remove the service from the local machine without any prompts

      Note: For remote installation or removal to work (i.e., specifing a target machine name as in the above two examples using \\fred and \\barney), both the machine you are working on and the target machine must be logged on under an account that has administrative privileges on the target machine.

    System Change Log runs as a background system service. You configure the options for the service by using the System Change Log Control Panel Applet (click the icon found in the Control Panel).

    Note: If User Account Control (UAC) is enabled on your system, you may need to right-click the System Change Log icon in the Control Panel and choose Run as Administrator to open the applet.

    System Change Log Control Panel Applet
    System Change Log Control Panel Applet   [Click for larger size]

    Note: Changes you make on the applet will not take effect until you click the Apply button.

    Montored Paths

      Click the Add button to add a specific path or drive to the list of monitored paths. Click the Remove button to remove the highlighted path or drive.

      When you select a folder, subdirectories are always included, so an entry of C:\ means your entire C: drive.

      Important: You should only monitor the drives and paths where you need the information. Monitoring all activities on all drives can slow down your system and fill up your log files. Adjust the entries in this box to match your actual monitoring requirements.

    Tracking Options

      If checked, System Change log will record a log entry for the following events:

      Track file Creations:
      Track file Deletions:
      Track file Changes:
      Track file Renames:
      Track file attribute changes:
      Track NTFS Stream changes:
      Track security Changes:

      Track User Information:
      Click this button to bring up the Auditing dialog:

        The Auditing Dialog Page
        The Auditing Dialog Page   [Click for larger size]

        Due to the way Windows handles file activity internally, System Change Log can only report the name of a user account or program that makes a change if the success reporting function of Windows Files/Folders security auditing is enabled for the monitored path(s).

        Fortunately, System Change Log handles the complexity of enabling the right kind of auditing for you. This dialog displays the current status of the three tasks necessary to successfully track user information. If any item is set incorrectly, click the Fix button to remedy it.

        Note: If you add new paths to the Monitored Path list, you will need to Fix the Specific File and Folder auditing... item to be sure it is enabled properly for the new paths.

    Next, click the Files tab to bring up the Includes and Excludes dialog box:

      The Files Tab Page
      The Files Tab Page   [Click for larger size]

      Included Files

        Use this function if you want to tell System Change Log to monitor files by the file type (extension) instead of the default of monitoring all files in the monitored path(s).

      Excluded Paths and Files

        List paths or files, one per line, that you want System Change Log to ignore. You may use wildcards (asterisks and question marks) as well as system variables (example, %systemroot% or %windir%).

        Unlike DOS wildcards, you may use more than one wildcard per specification. Click the Help button for syntax examples.

Logging Options

  • Write to Event Viewer:
    If checked, System Change Log will direct log entries to the Event Viewer log.
  • Write to Log File:
    If checked, System Change Log will direct log entries to the scl.log file in the %systemroot%\system32 directory (i.e. C:\winnt\system32\scl.log). The default file location can be changed by editing the Registry. See Knowledgebase Article KB2002.329 for details.
  • Max Log Size:
    The maximum desired size of the scl.log file on disk. If this is set to zero, the log file size is limited only by available free space on your disk. Any other number specifies the size, in kilobytes, for the log file. The log file is checked once each hour. If it exceeds the maximum specified size, the log is trimmed by removing entries from the beginning of the file until it is smaller than the maximum specified size.
  • View Log
    Clicking this button will bring up the built-in System Change Log viewer, which lets you view log entries in real time.

SCL Logs
Sample from the System Change Log viewer

Copyright © 1995-2024 Greyware Automation Products, Inc.  All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.
Greyware Automation Products, Inc.
308 Oriole Ct, Murphy, TX 75094
972-867-2794 (voice) 972-208-1479 (fax)

Close Printer-Friendly Version