NCC Group Security Labs - Windows Activity Logger: the all-seeing-eye

  • Free or Commercial?
  • Download
  • Documentation

Providing You a Window of Detailed Insight

NCC Group Labs has developed a product designed to provide unparalleled insight in to the activities of sophisticated threat actors on Microsoft Windows hosts.

The product is pro-actively deployed across your Microsoft Windows estate with no discernible impact on system performance.

The product works by creating a three hour rolling window of insight into system activity without polluting your Microsoft Windows Event Log. The data logged includes:

  1. Process creation including command line and parameters.
  2. Thread creation.
  3. LoadImage events.
  4. Windows Registry key creation, deletion and renaming.
  5. TCP and UDP connections including remote host address, port and source process ID.
  6. File system activity such as creation, deletion and renaming.

In the free version of the product, the log can be obtained from the host by running a simple command line tool.

in the commercial version of the product not only do you get world class support you are also able to configure the product to send its logs to a central location.

Free or commercial

Free to use on up to 10 hosts (physical or virtual) in a single organization.

If you are interested in buying a copy simply contact either:

  • Your NCC Group account manager referencing 'NCC Group Windows Activity Logger'
  • Central sales via e-mail at


You can download the installation packages using the links on the right.


Bug Reports

If you've run into a bug even as an unpaid user feel free to contact bug reports via e-mail.

How To Use

Firstly install the product and allow it to collect logs. To obtain the log window run the following commands from your search path (the binaries reside in '%PROGRAMFILES%\NCC Group\Windows Activity Logger'):

Command line Function
LogFileReader todisk Causes the current window of logs to be dumped to disk in %ALLUSERSPROGRAMDATA% (e.g. C:\ProgramData\)
LogFileReader toxml C:\ProgramData\

note:: requires administrator access.

This command processes all files in a folder. each xml file is typically 1.5 times the size of the source file.

How To Upgrade

Simply install the new version and the driver, service and command line tool will be automatically updated.

Service Configuration

All Windows Registry settings are stored under 'HKLM\Software\NCC Group\Windows Activity Logger'

Value Name Type Description Default
Log Level DWORD Controls the amount of data going to the event log.
1. Errors only
2. Errors and Warnings
3. Errors, warnings & Info
SaveOnStop DWORD Saves files when service is stopped
0 - No
1 - Yes
SaveOnShutdown DWORD Saves files when service is shut down
0 - No
1 - Yes
MaxRam DWORD Approximate limit on RAM usage (MB). - minimum 64MB Installer sets to 50% available RAM.
2048 MB when entry not present.

Release History

1.0.6 - November 27, 2014: turned down the Eventlog logging and further increased performance.

1.0.5 - November 26, 2014: added understanding of protected processes.

1.0.4 - November 24, 2014: added parent PID of the process to the output XML.

1.0.3 - November 22, 2014: added username of the process to the output XML.

1.0.2 - November 21, 2014: adjustments in how log files are stored.

1.0.0 - November 19, 2014: initial release.