Tried searching on the forums, product guides and README, and Google as a whole without finding the answer. I am wanting to get user account activity events from Device Control and see this is the command to execute. I ran what I thought was the right syntax in ePO under EC: Run Commands and get a success back from the ePO task but think it returns this regardless if the syntax is correct or not. Got an admin to delete a key in the registry and its not showing up in the events so I think what I ran did not work. I am getting registry adds/delete/modify FIM changes made by NT AUTHORITY, just not from this user. Have checked and logging under Audit Policy is set correctly on this server.
Can anybody point me in the right direction?