Modifying the command prompt recognized by the collector

For the collector to identify the command events executed in a session, it must also be able to identify the command prompt. Although there are several characters that are commonly used and recognized by default, most computers also allow you to customize the command prompt. If a customized command prompt is not detected by the collector, commands will not be displayed properly in the session Events list, making it difficult for auditors to see the commands executed in a selected session.

To enable the collector to detect custom or unusual command prompts, you can add a registry key on the computer where the collector is installed and specify a text string or a regular expression that will match the command prompt.

To specify a regular expression for the command prompt:

  1. Log on to the computer where the collector component is installed and running.
  2. Open the Registry Editor.
  3. Expand the HKEY_LOCAL_MACHINE > SOFTWARE > Centrify > DirectAudit registry.
  4. Select the Collector component, right-click, then select String Value.
  5. Type Prompt as the new key name.
  6. Select the new Prompt key, right-click, then select Modify.
  7. Type a text string or regular expression that will enable the collector to identify the command prompt you are using on computers you are auditing.

    If you don’t define a registry value, the default regular expression ^[^#%>\$]*[#%>\$]\s* is used to detect the command prompt.