The file tracing function cannot be used according to the compression and decompression log of the compression software (such as the ZIP, LZH, and compression tools provided by Microsoft).
The application operation log of adding functions on Internet Explorer® or Windows Explorer will not be collected.
When the OS is Windows Vista®, Windows Server® 2008, or Windows® 7, if authority upgrade is allowed through UAC and operation is continued, the program name in the collected log is displayed in [Content] of [Log List] of Log Viewer).
When the file displayed in the [Open File] dialog box exists, even if the file is not opened, the viewing log will be collected.
When a large file is copied, a large number of file operation logs will be collected.
Under the following conditions, the file size may not be obtained normally.
When a file is moved and renamed repeatedly or the device that stores the processed file is added, deleted, and ejected within 30 seconds.
When file operations are performed before logoff or shutdown.
When the following software or command is used, the file operation log will be collected as described in “8.2.20 File Operation Log”.
Windows Explorer
Notepad
Wordpad
Microsoft® Word (2000, 2002, 2003, 2007 and 2010)
Microsoft® Excel (2000, 2002, 2003, 2007 and 2010)
Microsoft® PowerPoint® (2000, 2002, 2003, 2007 and 2010)
Commands in the Command Prompt window (COPY, XCOPY, MOVE, DEL, ERASE, RD, REN and MD)
However, please pay attention to the following items.
The [Update] operations (such as Save As and Replace) of Microsoft® Word are collected as the log of [Create] operation.
Same as Explorer and XCOPY, for a process registered in the [File Operation Process] tab, if the scope of file operation log of this process is set to [Get operations excluding viewing], the [View] logs of the process will not be collected.
The excessive logs that are not listed in “8.2.20 File Operation Log” may be collected sometimes even when the software or command mentioned above is used.
When the software or command apart from the above is used, the operation log that does not conform to the actual operation may be collected sometimes (For example, [Copy] or [Move] logs cannot be collected, but they will be collected as [View], [Create], [Delete], or [Rename] operation.
When the Redirect command (> or >>) or MD command is run in Command Prompt, logs cannot be collected.
When the data in the local drive is written to a DVD/CD by using the burning software, this operation can only be collected as a [View] operation instead of [Copy] because information of access to DVD/CD cannot be collected.
For output to a tape device, communication through cross cable such as RS-232C, or operation via IrDA (Infrared device), since the information of target drive cannot be obtained, only the information of local drive will be collected during log collection.
When moving a large file (it takes more than 30 seconds to move one file), the log may be divided into two pieces sometimes, which are [Copy] and [Delete].
When the Move command is used to move a file by overwriting in the same drive, if the overwriting operation is performed after the prompt for confirmation of overwriting is displayed for more than 30 seconds, the log will be [Rename] instead of [Move]. When other commands are used, if the conformation prompt is displayed, the collected log may be different from the actual one sometimes.
If the COPY or XCOPY command such as COPY A.TXT+B.TXT C.TXT or COPY *.TXT C.TXT is executed in Command Prompt, it will be collected as the [Create] log of C.TXT.
A maximum of 259 bytes can be collected as the information of [File Name], [Target File Name], or [Source File Name] in a collected log.
When a path that does not exist is specified in the file operation of command prompt, the operation will fail, but the log will still be collected.
When the operation of displaying the confirmation window is performed, even if the operation is cancelled, the file operation log will still be collected.
In Windows Vista®, Windows Server® 2008, or Windows® 7, when the operation of displaying the confirmation window (Copy by overwriting, move by overwriting), the log type will not be recorded as [Copy] or [Move]. (The update log of the target file for copying or moving and the log of deleting the source of moving will be collected.)
Under virtual environment, the file name of physical drive of drive mapping may contain extra information sometime [\\Device\PicaDriveRedirector\].
Example: [\\Client\F$\Customer\CustomerInformation.xls] will be obtained as [\\Device\PicaDriveRedirector\Client\F$\Customer\CustomerInformation.xls].
Under virtual environment, the full path may not be obtained for the file name of physical drive of drive mapping.
Example: [\\Client\F$\Customer\CustomerInformation.xls] will be obtained as [\\CustomerInformation.xls] or [\\Customer\CustomerInformation.xls]
When collecting operation logs, register the process that requires the file operation log to be recorded in the [File Operation Process] tab. At the time, If the [Select according to Extension] option is set to [Get all extensions], information about all files accessed by the process (application) will be collected Apart from data file, these files also contains execution modules and temporary files such as files with “exe”, “dll”, “ini”, “tmp, “lnk” or “inf” extensions. All these operation logs will be collected.
The operation log of playing music CDs cannot be collected.
The file operation log relating to network drive to be collected is the file and folder operation performed for computers in the network from the client (CT) of Systemwalker Desktop Keep.
The file operation log relating to network drive is displayed in UNC format or the UNC format in which part of the computer name is IP address. However, in the following conditions, the [Target File Name] information of log will be displayed with the absolute path of file name or folder name.
Allocate a drive letter for the network drive and perform rename operation in the drive letter
Allocate a drive letter for the network drive and perform move operation in the drive letter.
For the drive letter that is allocated as a network drive, perform the move operation from the folder that directly accessed to the network drive with the same drive letter as the allocated one.
For moving operations between the drive letter that is allocated to a network drive and the folder that directly accessed to the network drive with the same drive letter as the allocated one, the logs listed in “8.2.20 File Operation Log” will be collected, but the following information in the collected logs, however, may be different.
In [File operation]-[About log of files under the folder]-[In same drive], logs of [Rename] instead of [x] will be collected.
In [File operation]-[About log of folder]-[In same drive], logs of [Create], [Delete], and [(Delete)] instead of [Rename], [(Rename)], and [(Delete)] will be collected.
Based on the setting of the excluded folder for obtaining the file operation log, even for built-in disk, when the OS identifies it as a removable drive, the disk will not be excluded.
Even if the excluded folder is enabled, the operation logs related to the folders that are not excluded will be obtained.
All the folders, subfolders, and files under an excluded folder are targets to be excluded.
When modifying the configuration value of system environment variable TEMP and TMP, the value after modification will take effect after the next startup of OS. The configuration value prior to modification will be used before the OS is restarted.
When modifying the configuration value of user environment variable TEMP and TMP, the value after modification will take effect upon the next user logon. The configuration value prior to modification will be used before the next logon.
When only symbols such as “\” and “\\” have been set in the configuration value of TEMP and TMP of system environment variable and user environment variable, the setting will be invalid.
“\” indicates that the root directory of current drive while the program is running, but it will not be excluded because it cannot be fixed.
In addition, “\\” indicates the beginning of network path in UNC format, but it is meaningless when it contains only “\\”, and it will not be excluded at this time.
When the folders of system environment variable TEMP and TMP and the temporary Internet files are specified to target for exclusion if the file name is a path of more than 260 bytes, the exclusion setting will be invalid and the file operation log will be collected.
However, if the path is 260 bytes and the 260th byte is “\”, the setting will be valid.
If the path of an excluded target contains dedicated UNICODE characters, these characters will be replaced with “?” before comparison, Therefore, the file operation logs that contain UNICODE characters at the same place will also be excluded.
For example, when Windows user name contains dedicated UNICODE characters, access to the TEMP or TMP folders of other users that also contain dedicated UNICODE characters will also be excluded.
When the path of excluded target in Windows Vista®, Windows Server® 2008, or Windows® 7 contains dedicated UNICODE characters, it will not become the target for exclusion.
