Top
Systemwalker Desktop Keeper User's Guide for Administrator
FUJITSU Software

1.2.30 File Operation Log

Notes on operations that generate a large volume of logs
  • When you shut down or restart immediately after an operation that generates a large volume of logs (*1), some logs generated before the restart may not be collected.
    When you perform such an operation, wait a while before performing shutdown processing.

  • After an operation that generates a large volume of logs, Systemwalker Desktop Keeper processes may temporarily experience high load.
    This is not an issue if the high load is temporary, but if it occurs periodically, take measures such as removing folders for which a large volume of logs are likely to be created.

    *1: For example: Operations such as batch copy and deletion of folders that contain several tens of thousands of files

    Regular file operations that use batch processing

When the actual operation is different from the collected operation log
  • When the following software or command is used, the file operation log will be collected as described in "9.2.21 File Operation Log".

    • Windows Explorer

    • Notepad

    • Wordpad

    • Microsoft Word (2010, 2013, and 2016)

    • Microsoft Excel (2010, 2013, and 2016)

    • Microsoft PowerPoint (2010, 2013, and 2016)

    • Commands in the Command Prompt window (COPY, XCOPY, MOVE, DEL, ERASE, RD, REN and MD)

    However, pay attention to the following items.

    • The "Update" operations (such as Save As and Replace) of Microsoft Word are collected as the log of Create operation.

    • In Microsoft Word, Excel, and PowerPoint, the "Create" operation may be collected as an "Update" log (Microsoft Office 2013 and 2016).

    • Same as Windows Explorer and XCOPY, for a process registered in the File operation, if the scope of file operation log of this process is set to Get operations excluding viewing, the View logs of the process will not be collected.

    • The excessive logs that are not listed in "9.2.21 File Operation Log" may be collected sometimes even when the software or command mentioned above is used.

    • When the "Move" operation is performed in the above software or commands, "Copy" and "Create" (move source) logs may be collected.

    • When the Redirect command (> or >>) or MD command is run in Command Prompt, logs cannot be collected.

    • A file operation log may not be collected if an attempt to open a file that the user does not have the access privilege for is denied.

  • The operation log that does not conform to the actual operation may be collected sometimes
    Example: "Copy" may be recorded as "View", "Create", or "Rename" in the collected log.
    Example: "Move" may be recorded as "View", "Create", "Delete" or "Rename" in the collected log.

  • When the data in the local drive is written to a DVD/CD by using the burning software, this operation can only be collected as a View operation instead of Copy because information of access to DVD/CD cannot be collected.

  • For output to a tape device, communication through cross cable such as RS-232C, or operation via IrDA (Infrared device), since the information of target drive cannot be obtained, only the information of local drive will be collected during log collection.

  • When moving a large file (it takes more than 30 seconds to move one file), the log may be divided into two pieces sometimes, which are Copy and Delete.

  • When the Move command is used to move a file by overwriting in the same drive, if the overwriting operation is performed after the prompt for confirmation of overwriting is displayed for more than 30 seconds, the log will be Rename instead of Move. When other commands are used, if the conformation prompt is displayed, the collected log may be different from the actual one sometimes.

  • If the COPY or XCOPY command such as COPY A.TXT+B.TXT C.TXT or COPY *.TXT C.TXT is executed in Command Prompt, it will be collected as the Create log of C.TXT.

  • A maximum of 520 halfwidth characters (260 fullwidth characters) can be collected as the information of File Name, Target File Name, or Source File Name in a collected log.

  • When a path that does not exist is specified in the file operation of command prompt, the operation will fail, but the log will still be collected.

  • When the operation of displaying the confirmation window is performed, even if the operation is cancelled, the file operation log will still be collected.

  • When the operation of displaying the confirmation window (copy by overwriting, move by overwriting), the log type will not be recorded as Copy or Move. The collected logs will be the "Update" log of the copy destination file or move destination file, the "Delete" log of the move source, and the "Rename" log of the copy source file and copy destination file, or the move source file and move destination file, if the same drive is used.

  • Under virtual environment, the file name of physical drive of drive mapping may contain extra information sometime [\\Device\PicaDriveRedirector\].
    Example: [\\Client\F$\Customer\CustomerInformation.xls] will be obtained as [\\Device\PicaDriveRedirector\Client\F$\Customer\CustomerInformation.xls].

  • In a virtual environment, the full path of a file may not be obtained if the file operation is performed on a mapped physical drive.
    Example: [\\Client\F$\Customer\CustomerInformation.xls] will be obtained as [\\CustomerInformation.xls] or [\\Customer\CustomerInformation.xls]

  • When you perform file operations, additional "Create" logs may be obtained.

  • When you perform file operations in Microsoft Office, operation logs may be obtained for the temporary files (such as .dll, .dat, and .lnk) that are created by the operating system.

  • When you use Microsoft PowerPoint and save all pages in an image format (such as jpg or tif), a separate image file is output for each page. However, a "Save as" log is recorded only for the page image file for which you specified the file name in the Save as dialog box. The file operation logs for the other pages are recorded as "Create" logs.

  • When you operate (such as update or rename) a file after creating it, a "Create" log may not be output.

  • When you perform "Copy" or "Move" operations in encrypted files or folders, additional "Delete" logs may be collected.

When a large number of View logs are collected
  • When collecting operation logs, register the process that requires the file operation log to be recorded in the File operation. At the time, If the Select according to Extension option is set to Get all extensions, information about all files accessed by the process (application) will be collected Apart from data file, these files also contains execution modules and temporary files such as files with "exe", "dll", "ini", "tmp, "lnk" or "inf" extensions. All these operation logs will be collected.

When logs cannot be collected
  • The operation log of playing music CDs cannot be collected.

  • An operation log cannot be collected when you directly save data in Internet storage.

  • A file operation log may not be collected when there is an attempt to view or update a file for which the user does not have access privilege.

  • Folder operation logs may not be obtained.

  • Operation logs may not be obtained for files that have a size of 0 bytes.

File Operation Logs Relating to the Network Drive
  • The file operation log relating to network drive to be collected is the file and folder operation performed for computers in the network from the client (CT) of Systemwalker Desktop Keep.

  • The file operation log relating to network drive is displayed in UNC format or the UNC format in which part of the computer name is IP address. However, in the following conditions, the Target File Name information of log will be displayed with the absolute path of file name or folder name.

    • Allocate a drive letter for the network drive and perform rename operation in the drive letter

    • Allocate a drive letter for the network drive and perform move operation in the drive letter.

    • For the drive letter that is allocated as a network drive, perform the move operation from the folder that directly accessed to the network drive with the same drive letter as the allocated one.

  • For moving operations between the drive letter that is allocated to a network drive and the folder that directly accessed to the network drive with the same drive letter as the allocated one, the logs listed in "9.2.21 File Operation Log" will be collected, but the following information in the collected logs, however, may be different.

    • In File operation > About log of files under the folder > In same drive, logs of Rename instead of x will be collected.

    • In File operation > About log of folder > In same drive, logs of Create, Delete, and (Delete) instead of Rename, (Rename), and (Delete) will be collected.

    • When you delete a file from the network drive (including access via a UNC path) in Windows 8.1, Windows 10, Windows Server 2012 or Windows Server 2016, a "Delete" log may not be output. Especially when files are deleted using a batch file or script, "Delete" logs are not output.

    • When you move a file from the network drive (including the access time in a UNC path) in Windows 8.1, Windows 10, Windows Server 2012 or Windows Server 2016, the "Move" log may be output as a "Copy" log.

Set excluded folder for file operation Log obtaining
  • The excluded folder for obtaining file operation log excludes folders only if the target drive is a built-in fixed disk. The arbitrary excluded folder set also excludes folders only if the target drive is a built-in fixed disk.

  • Based on the setting of the excluded folder for obtaining the file operation log, even for built-in disk, when the OS identifies it as a removable drive, the disk will not be excluded.

  • Even if the excluded folder is enabled, the operation logs related to the folders that are not excluded will be obtained.

  • All the folders, subfolders, and files under an excluded folder are targets to be excluded.

  • When modifying the configuration value of system environment variable TEMP and TMP, the value after modification will take effect after the next startup of OS. The configuration value prior to modification will be used before the OS is restarted.

  • When modifying the configuration value of user environment variable TEMP and TMP, the value after modification will take effect upon the next user logon. The configuration value prior to modification will be used before the next logon.

  • When only symbols such as "\" and "\\" have been set in the configuration value of TEMP and TMP of system environment variable and user environment variable, the setting will be invalid.
    "\" indicates that the root directory of current drive while the program is running, but it will not be excluded because it cannot be fixed.
    In addition, "\\" indicates the beginning of network path in UNC format, but it is meaningless when it contains only "\\", and it will not be excluded at this time.

  • When the folders of system environment variable TEMP and TMP and the temporary Internet files are specified to target for exclusion if the file name is a path of more than 260 halfwidth characters (130 fullwidth characters), the exclusion setting will be invalid and the file operation log will be collected.
    However, if the path is 260 halfwidth characters (130 fullwidth characters) and the 260th character is "\", the setting will be valid.

  • When the path of excluded target contains dedicated Unicode characters, it will not become the target for exclusion.