You should be running a Baseline Scan on whatever interval you choose (we use 30 days). Then you should have another task that runs daily called Activity Scan and this will pick up any changes from your baseline. If you are just running just the Baseline Scan then everytime you run that scan you are establishing a new baseline so you are saying that everything running on it at the time of that scan is valid. The Activity Scan is like a differential, so it will compare the current settings against the baseline you had set and then report all of the differences. Then (in ePO 4.0) you go to Reporting > Asset Baseline Monitor and you should see any registry key changes, user or group changes, and new services being started or stopped. I know its about a year late, but maybe it will help someone else who comes across the same problem.