WinDiagnostic FAQ

Modern PCs seldom have hardware failures;
Most problems are caused by the installation, removal, or modification of the operating system, application programs, or hardware devices.

However, by continually monitoring the PC file system and Windows Registry, WinDiagnostic detects and reports all of these changes!

But WinDiagnostic does even more:

It runs automatically--just install it and forget it;
It filters out all normal (benign) Windows and Application program changes;
It remotely reports all PC changes via email or a private web interface.

And since WinDiagnostic allows you to monitor multiple PC through its management interface, detecting and diagnosing Windows problems has never been easier!

How Does WinDiagnostic Operate?

WinDiagnostic agent software is installed on each monitored PC. Agents monitor all file systems and the Windows Registry for changes, then forward "change events" over the Internet to WinDiagnostic servers.

WinDiagnostic servers receive change events from Agents, filter out normally-occurring (benign) events, then produce daily reports of all changes, which are emailed to the account owner (if desired), and archived for viewing via the Web.

How Do I Use WinDiagnostic?

Using WinDiagnostic couldn't be easier! Here's what you do:

Go to www.windiagnostic.com and click "Create an Account" to obtain an account
Using your account userid and password, install WinDiagnostic PC software on one or more PCs
Start receiving WinDiagnostic reports!

It's just that simple!

WinDiagnostic Security Issues

Does WinDiagnostic transmit any file content or private data to its servers?

Absolutely not! WinDiagnostic transmits only file names and Registry key names, and the status of whether each file/key was created, deleted, or modified.

Is WinDiagnostic's Internet connection secure?

WinDiagnostic's client-server communication uses industry-standard Secure Shell II (SSH2) protocols with 2048 bit DSA keys. Clients initiate data exchanges to servers, but servers cannot initiate data connections to clients (clients do not listen for SSH connection requests).

Viruses and Worms: Tell Me More

Wow! WinDiagnostic detects the installation of viruses and worms (malware) within one day!

Malware seeks permanence; in other words after a malware installation, the bogus software is designed to execute after power-up or reboot. To accomplish permanence, malware must change the Windows file system and Registry. And since WinDiagnostic constantly monitors these PC systems, it immediately detects the installation of malware!

And note this: Antivirus vendors typically require up to 45 days to research and identify new malware, and then roll-out a fix in their software. During this period, new viruses are free to roam the Internet and install themselves on PCs. However, with WinDiagnostic, malware installations are detected the day they are installed!

Why Is WinDiagnostic Free?

When we managed a Help Desk and support staff for 10,000 users, WinDiagnostic was precisely what we needed--except that it did not exist then! Now it does, and we want to share it with other sysadmins and support engineers.

WinDiagnostic Operation Notes

Why does WinDiagnostic report its results through email?

WinDiagnostic reports system changes by exception—that is, it reports changes that normally should not occur. Many PCs will run for weeks without a WinDiagnostic event. Email provides a convenient and ubiquitous method to review exceptional events, and email can be more convenient than logging-on to a Web site to view WinDiagnostic events.

But can I review WinDiagnostic reports on the Web?

Of course! Your client PC reports always can be viewed through WinDiagnostic's Account Management Function.

How can I obtain more than 10 clients?

The 10 client limitation will be removed in the future (after the freeware period).

How often does WinDiagnostic execute on a PC?

WinDiagnostic clients normally run once per day (although clients can be configured to run up to four times a day).

What is a WinDiagnostic Server?

Each day, WinDiagnostic clients detect hundreds of added, deleted, or modified Windows files and Registry keys. WinDiagnostic servers filter out common changes which are associated with benign system changes, and report only those that reflect potential system problems.

How can I email WinDiagnostic reports to more than one recipient?

The Account Manager's "Manage Account Reporting" function allows you to change or add email addresses to your account. You can also specify email reporting specific to each individual client (some business owners or IT managers like to see their own WinDiagnostic reports).

What PC disks does WinDiagnostic monitor?

WinDiagnostic's default configuration is to monitor all active hard disks.

Does WinDiagnostic use a lot of system resources?

No. WinDiagnostic's scan processes run only a few minutes each day; most users are not even aware that WinDiagnostic is installed on their system.

Can I install a single WinDiagnostic userid on more than one PC?

No. Although multiple PCs with the same WinDiagnostic userid would communicate with our servers, the reports would be meaningless, since they would contain adds, deletes, and modifications for disk drives and registries on multiple PCs.

Problem Determination

Help--I've lost my account password!

No problem. Simply email password@windiagnostic.com from your account email address. We will send your password to that address.

I'm not receiving WinDiagnostic email reports. What is wrong?

First, log on to the Account Manager (via the web) and check if WinDiagnostic is creating reports. If so, then verify that your email address(es) is/are valid. Next, check the Account Management "Manage Account Reporting" page, and make sure one of the addresses fields does not contain "disabled." Finally, check if your ISP is marking reports as spam (WinDiagnostic uses HTML email, and anti-spam software has become quite restrictive for this format). If your reports are being marked as spam, re-configure your anti-spam software to accept address *@windiagnostic.com.

My WinDiagnostic installation fails with the following message: “Installation of cfaudit service failed with rc=16”

Make sure that mmc.exe is not running with an open “services” window. Also, make sure that explorer.exe is not open and pointing to the %systemdrive%\cfaudit directory or any of its subdirectories.

WinDiagnostic will not run. What is wrong?

1) Check that the Windows Firewall and/or anti-virus software is not blocking WinDiagnostic processes. The following programs must be allowed to execute: a) directory %systemdrive%\cfaudit\programs: cfaudit.exe, cfmain.exe, cfscan.exe, cfregist.exe, pscp.exe, and b) directory %systemdrive%\windows\temp: cfload.exe, cfupdate.exe.

2) Inspect file %systemdrive%\cfaudit\output\auditerrors. If this file exists, open it with Notepad and review the contents.

3) Make sure you are using the standard installed configuration file (%systemdrive%\cfaudit\programs\cfaudit.cfg). Your file should look like this, with "Userid" set to your actual client number:

Noscan = *\System Volume Information
Cycletime = 86400
Userid = cfnnnnnn (where nnnnnn is your 6 digit client account number, left-justified with leading zeros)

4) Try reinstalling the client software (you will not lose disk and Registry state information).

5) Notify WinDiagnostic support at support@WinDiagnostic.com

I never see any email messages from certain clients. What is wrong?

1) WinDiagnostic requires an Internet connection to transmit its reports. If a PC never connects to the Internet, WinDiagnostic cannot transmit reports to our servers, and then post those reports to you.

2) After startup and before performing any network activity, WinDiagnostic delays its operation a random interval of 10-15 minutes. Also, each client is synchronized to transmit to servers at a certain time of the hour. A client PC should remain connected to the Internet for approximately 1.5 hours to ensure that WinDiagnostic transmits its reports.

3) WinDiagnostic's file/path Event Filter Function (in the Account Manager) can severely limit event reporting. As a test of raw WinDiagnostic operation, create a "Watch" string for the client via the Event Filter Function. Place a single asterisk in this string. This will cause WinDiagnostic to report each and every created/deleted/modified file.

4) Did you just install client software? WinDiagnostic can take up to 24 hours to schedule an initial database build, then another 24 hours to report any changes from the initial database. Please wait at least 48 hours for a new PC client to begin reporting (and then, only if there are any file/registry changes to report).

I just performed a major operating system update and WinDiagnostic did not report any changes

Since thousands of files and Registry keys can change during an OS upgrade, WinDiagnostic incorporates reasonability checks that limit event reporting; i.e., WinDiagnostic will not transmit a report when disk's file changes exceed 12,000 or when Registry changes exceed 15,000.

How can I obtain support?

Please email your questions and problems to support@WinDiagnostic.com.

Advanced Topics

I don't want WinDiagnostic to monitor all hard disks on a particular PC. How can I implement this?

Using Notepad, open the client configuration file %systemdrive%\cfaudit\Programs\cfaudit.cfg and insert "Scan" records for each drive you wish to monitor (syntax: Scan = c:). This will turn off auto hard disk discovery and force WinDiagnostic to scan only the drives you specify.

WinDiagnostic is reporting files or Registry keys I do not want to see. How can I stop this?

First, shoot us an email (support@WinDiagnostic.com) with the offending file(s) or key(s). If the event is benign and generic to a normally changing function, we will filter it out at the server level. However, if the reported events are specific to a particular PC, use the Account Manager's Event Filter Functions to ignore these events.

WinDiagnostic is not reporting certain files or Registry keys I wish to monitor. How can I monitor these items?

These files are probably being filtered out by WinDiagnostic servers. Please let us know if we are mistakenly filtering out something that everybody should see (support@WinDiagnostic.com). Otherwise, you may instruct WinDiagnostic servers to stop filtering out any file or path using the Account Manager's Event Filter Functions.

Note: We will send you a list of all Server filters when you email filters@windiagnostic.com

What are the parameters in file %SYSTEMDRIVE%\cfaudit\Programs\cfaudit.cfg

Scan = Disk drive to scan (with colon; i.e., d:) [normally this parameter is not used]

NoScan = File/path to ignore

Cycletime = Scan period in seconds (default is once per day)

Userid = Client’s WinDiagnostic userid (do not change)

What is the difference between using the cfaudit.cfg file “NoScan” parameter and the Account Manager file/path Event Filter Functions?

The Event Filter specifies files and paths that are to be ignored by WinDiagnostic servers. However, the NoScan parameter instructs the WinDiagnostic PC client not to scan an entire path or specific file. This may be useful for ignoring highly-populated drives or directories that are used for backups or other similar purposes.

Where does WinDiagnostic store its disk file and Registry state information?

In directory %SYSTEMDRIVE%\cfaudit\Data.

I’ve found the system service for WinDiagnostic, but the service is not running even though WinDiagnostic appears to be operating

WinDiagnostic uses the Windows Service Control Manager (SCM) as a reliable way to start an initial WinDiagnostic process, that then performs housekeeping and starts WinDiagnostic’s main process. This initial task only runs for a few seconds, so it is normal to see the WinDiagnostic service not running.

How can I terminate the cfmain.exe process on my Windows 2000 PC?

WinDiagnostic runs on Window 2000 via userid “LocalSystem.” Under Windows 2000, the task manager cannot kill a LocalSystem process. To get around this problem, use script killtask.bat which is located in directory %systemdrive%\cfaudit\programs.