ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

HOST class * for WINDOWS SERVER 2016


Article ID: 129695


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


In UNIX defining a HOST class record with * allows to see records for all hosts. The same is required for Windows.

In windows, the following example, meant to audit all hosts, does not work

so class+(host)
nr host * audit(all)
auth host * service(*) access(all)

seaudit -a | findstr HOST produces no entry for the host class

However defining a specific terminal with the host class

nr host audit(all)
auth host service(*) access(all)
seaudit -a | findstr HOST

produces some output for the host defined previously:

11 Jan 2019 13:58:08 P HOST ms-wbt-server 153 3

In Linux/UNIX both examples work

Is it possible to use in windows the same host record definition as  in unix  (namely specifying a * entry) to see all audit records for all hosts ?


PIM 14
Windows all supported versions


No you cannot use the same command in unix and in windows.

In UNIX,  *  will work for the HOST class, but not in windows.

On Windows endpoint '*' char is used when creating GENERIC system resources (FILE, REGKEY, REGVAL). The rule creates protection in folder/registry and it's sub folders/registry values.

There is no logic in Windows endpoint to handle the use case when you create/update a rule using the '*' char in the RESOURCE name.  It is interpreted as intending to change the existing rules on this class and hence it does not work as intended.

This is not a bug, but an implementation limitation of the Windows Endpoint.