Is file LogWatNT.exe required for Gen licensing to function?
Our organization is trying to remediate the below issue and I am wondering if that file can be removed.
Tenable is reporting there are insecure permissions set for the Event Log Watch service, which appears to be associated with the Gen application. Tenable is reporting that the LogWatNT.exe has “write” permissions allowed for the “Users” and “Domain Users” groups which is insecure.
Path : "C:\Program Files (x86)\CA\SharedComponents\CA_LIC\LogWatNT.exe
Used by services : Event Log Watch
File write allowed for groups : Users (...), Domain Users (...)
As part of its installation, Gen installs the CA (ALP) Licensing software into the directory "C:\Program Files (x86)\CA\SharedComponents\CA_LIC.
This old information solution for Gen 6.5 covers that LogWatNT.exe is run by the service "Event Log Watch" ("CA Licensing Event Log Management") and suggests the service can be set to Manual after the installation: WHAT ARE THESE SERVICES FOR THAT ARE INSTALLED WITH GEN?
From Support testing in a Gen 8.6 environment, after stopping the "Event Log Watch" service the LogWatNT.exe process is removed from the Task Manager Details tab which corresponds to the above information.
With the service "Event Log Watch" stopped and set to Disabled, Support also tested renaming the license file "C:\Program Files (x86)\CA\SharedComponents\CA_LIC\ca.olf" and then used the Gen Toolset. CA_LIC license errors were still logged in the Windows Event Viewer under "Windows Logs > Application".
After further research with Gen Engineering, it was determined that LogWatNT.exe is responsible for logging license-related messages in the lic98.log file.
So even when the service is stopped the messages are still available via the Event Viewer
The "Event Log Watch" service/LogWatNT.exe was also designed to be running to prevent the removal of file lic98.dll which it loads. The lic98.dll is also loaded by any Broadcom software like Gen that is using the licensing software.
Since Gen may be the only product that is using CA Licensing on the Windows system, the likelihood of that dll being deleted by another product is quite low.
Therefore in summary there appears to be no negative impact on the Gen license checking after stopping the "Event Log Watch" service which in turn means that LogWatNT.exe is no longer running.