In windows event interception is controlled by two drivers, seosdrv.sys and drveng.sys The drivers protect all the CA ControlMinder files and registry keys by performing the following tasks:
For file access and other events to be intercepted, the UseFSIDrv value in the registry key:
Must be set to 1
I have installed CA Control Minder 12.8 PIM-12.81.2129-18-JUL-2015_GA_Kit on OS Win2012R2, but if I have UseFsiDrv set to 1, PIM will fail to start.
I have set UseFSIDrv to 0 and then it starts, but no file events are intercepted.
How can I solve this problem ?
CA PIM 12.8 SP1 on Windows 2012 endpoint
To be able to work with Windows 2012, CA PIM 12.8 SP1 requires patch RO9200 as stated in the compatibility matrix
Patch can be retrieved from
Besides this, and as stated in the above matrix, PIM requires Windows 2012 WMI instrumentation to be disabled as it is not yet supported.
So to have a working Windows 2012 environment where interception will work, please install CA PIM 12.8 SP1 plus the above patch
Next you need to enable UseFSIDrv to enable interception, and the drveng and seosdrv drivers to intercept the corresponding events
### LIST SETUP REGISTERS ###
UseFsiDrv under the registry key
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\ eTrustAccessControl\eTrustAccessControl\UseFsiDrv to 1
# Change start type for seosdrv and drvend driver. It means disable them at start time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drveng\Start to 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seosdrv\Start to 1
Finally, since instrumentation is not supported in Windows 2012 R2, it must be disabled
# Disable CAINSTRM driver and instrumentation functionality
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cainstrm\Parameters\OperationMode to 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cainstrm\Start to 1
This should enable correct operation of CA PIM in Windows