An important part of an incident response investigation is reviewing logs, whether that be from disparate, disconnected systems, or in a central SIEM, log review is critical to understanding system and user activity as well as gauging risk and impact. In this post, we’re going to look at Dameware Remote Everywhere logs.

1. Introduction

In an incident response scenario, it is not uncommon to encounter the use of Remote Monitoring and Management(RMM) tools, which are often very legitimate tools used by IT departments, but pull double duty as covert channels of remote access for attackers. And of course, when you encounter those tools, one of the first things you’ll want to look for, are its logs!

In a recent incident response case, I encountered the Dameware Remote Everywhere(DRE) RMM tool and was tasked with reviewing its potential use in the environment. Luckily, DRE has a good amount of logging locally on the host, so there was no shortage of data to review, however, when I tried to get a headstart on review by pulling up any existing documentation on how to review/analyze the logs, and what events/fields to look for specifically, I was faced with a dilemma. I couldn’t find any!

I thought this was a good opportunity to record some of my own.

This will be less of a blog and more of a reference post. I will highlight some essential items and some more interesting bits, and hope it will be useful to you :)

Let’s go!

2. Essentials

First thing to note, the timestamps in the DRE logs appear to be in LOCAL SYSTEM TIME. In my examples, this is EST.

Potentially this is adjustable per system/install, but something to keep in mind when reviewing the log.

A. Log locations

Installation and uninstallation:

C:\Users\USERNAME\Appdata\Local\Temp\DamewareRemoteEverywhereAgentInstaller.install C:\Users\USERNAME\Appdata\Local\Temp\DamewareRemoteEverywhereAgentInstaller.uninstall

Post installation activity:

Default Paths:

Processes running with privileges: C:\ProgramData\GetSupportService_Dameware\Logs

Processes running without privilege: C:\ProgramData\GetSupportService_Dameware_Common\Logs

Instance Paths:

Processes running with privileges: C:\ProgramData\GetSupportService_Dameware_InstanceName\Logs

Processes running without privilege: C:\ProgramData\GetSupportService_Dameware_Common_InstanceName\Logs

B. Identifying Remote Access - Audit Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\AuditLog\AuditLog_%DATE%_$SESSIONID%_.log

Notes:

A new unique log file is generated for each remote session, with the Date and SessionID associated with the session in the file name.

Log Events:

[SESSION]

Example:

Example log file contents of a 10 second session:

2025-09-25 12:46:27:044 [603020950008077] [SESSION] - Session started
2025-09-25 12:46:37:746 [603020950008077] [SESSION] - Session ended

C. Identifying Remote Access - BASupSrvc Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupSrvc_%DATE%.log

Notes:

This log file is generated once per day, there is no per session log, all sessions will be present in the same daily log.

Log Events:

[SessionLogin]
[StopSession]
[LOGIN]

Examples:

Example log file contents (SessionLogin):

2025-09-25 11:53:07:414 {P:3156, T:3588} [SessionLogin] - [RemoteDesktopAllowed - -1, KeyboardAllowed - -1, MouseAllowed - -1]
2025-09-25 11:53:07:414 {P:3156, T:3588} [SessionLogin] - Setting session start time...
2025-09-25 11:53:07:414 {P:3156, T:3588} [SessionLogin] - Session is now connected...
2025-09-25 11:53:07:446 {P:3156, T:3588} [ProcessLoginPacket] - Successfuly derived encryption keys...
2025-09-25 11:53:07:446 {P:3156, T:3588} [ProcessLoginPacket] - Encryption is now on...
2025-09-25 11:53:07:664 {P:3156, T:3588} [HandleBeforeClientReady] - RequireLocalUserConfirmationOnSessionStart - 0 | IsRBMSession - 0
2025-09-25 11:53:07:664 {P:3156, T:3588} [HandleBeforeClientReady] - [SessionTokenValue - 9764CE51445C71DCA52E8569EDD0E63A, TokenAuthorized - 0]
2025-09-25 11:53:07:664 {P:3156, T:3588} [SessionLogin] - Enabling image pool timer...
2025-09-25 11:53:07:664 {P:3156, T:3588} [SessionLogin] - Enabling image pool timer...

Example log file contents (StopSession):

2025-09-25 11:58:22:755 {P:3156, T:5548} [ProcessKeepAlive] - Received keep alive packet...
2025-09-25 11:58:25:375 {P:3156, T:1552} [TCPAsyncClient::Disconnect] - Terminating TCP client reader...
2025-09-25 11:58:25:375 {P:3156, T:1552} [TCPAsyncClient::Disconnect] - Disconnecting TCP client...
2025-09-25 11:58:25:375 {P:3156, T:1552} [HandleDoOnDisconnectedEvent] - Disconnect event called...
2025-09-25 11:58:25:375 {P:3156, T:1552} [onTCPSessionDisconnect] - onTCPSessionDisconnect called...
2025-09-25 11:58:25:375 {P:3156, T:1552} [TTCPGatewayConnThread] - Gateway connection disconnected...
2025-09-25 11:58:25:375 {P:3156, T:1552} [GatewayTCPSessionDisconnect] - Gateway TCP Session disconnect...
2025-09-25 11:58:25:375 {P:3156, T:1552} [GatewayTCPSessionDisconnect] - Connection was established...
2025-09-25 11:58:25:375 {P:3156, T:1552} [GatewayTCPSessionDisconnect] - Suspending TxQueue...
2025-09-25 11:58:25:376 {P:3156, T:1552} [GatewayTCPSessionDisconnect] - Removing connection from list...
2025-09-25 11:58:25:376 {P:3156, T:1552} [GatewayTCPSessionDisconnect] - Removed connection from list!!
2025-09-25 11:58:25:376 {P:3156, T:1552} [GatewayTCPSessionDisconnect] - Deleting connection...
2025-09-25 11:58:25:376 {P:3156, T:1552} [RemoveConnection] - Deleting connection...
2025-09-25 11:58:25:376 {P:3156, T:1552} [~TBAConnection] - Connection still connected... Stopping session...
2025-09-25 11:58:25:376 {P:3156, T:1552} [StopSession] - Stopping CPU usage limit timer...
2025-09-25 11:58:25:377 {P:3156, T:1552} [StopSession] - Deleting CPU usage limit timer...
2025-09-25 11:58:25:377 {P:3156, T:1552} [StopSession] - Stopping image pooling timer...
2025-09-25 11:58:25:380 {P:3156, T:1552} [RestoreMonitorResolutions] - Restoring monitor resolutions in TS mode...
2025-09-25 11:58:25:386 {P:3156, T:1552} [StopSession] - Destroying threads...
2025-09-25 11:58:25:386 {P:3156, T:1552} [GatewayTCPWaitingConnectionCount] - WaitingConnCount - 1 of 2
2025-09-25 11:58:25:386 {P:3156, T:1552} [GatewayHTTPWaitingConnectionCount] - WaitingConnCount - 0 of 0
2025-09-25 11:58:25:386 {P:3156, T:1552} [BeforeSessionEnd] - Calling onSessionEnd...
2025-09-25 11:58:25:386 {P:3156, T:1552} [HandleSessionEnd] - Broadcasting tech count message...
2025-09-25 11:58:25:386 {P:3156, T:1552} [HandleSessionEnd] - Session ended…

C. Identifying Remote Access - BASupTSHelper Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupTSHelper_%PROCESSID%_%DATE%.log

Notes:

A new unique log file is generated for each remote session, with the Date and ProcessID associated with the session in the file name.

Log Events:

[Main::InitApp]

Example:

2025-09-25 11:53:08:243 {P:2168, T:8356} [Main::InitApp] - BA Helper App started...
2025-09-25 11:53:08:248 {P:2168, T:8356} [Main::InitApp] - Process Integrity Level - HighIntegrity Level
2025-09-25 11:53:08:249 {P:2168, T:8356} [CmdLineArg] - ParamCount - 7
2025-09-25 11:53:08:249 {P:2168, T:8356} [Main::InitApp] - TermServSuffixID - 202509251153073802w8yNyMZeeZBno9
2025-09-25 11:53:08:251 {P:2168, T:8356} [Main::InitApp] - Connected to IPC server...
2025-09-25 11:53:08:251 {P:2168, T:8356} [TImgCapture] -  DisplayName - DISPLAY
2025-09-25 11:53:08:252 {P:2168, T:8356} [TImgCapture] - Creating screen capture object | Width - 1900 | Height - 1080 | DPIX - 192 | DPIY - 192
2025-09-25 11:53:08:252 {P:2168, T:8356} [Main::InitApp] - Started capture thread...
2025-09-25 11:53:08:254 {P:2168, T:8356} [Main::InitApp] - Started command thread...
2025-09-25 11:53:08:254 {P:2168, T:8356} [Main::InitApp] - Started clipboard thread...
2025-09-25 11:53:08:254 {P:2168, T:8356} [InstallClipboardListener] - Installing clipboard format listener...
2025-09-25 11:53:08:254 {P:2168, T:8356} [InstallClipboardFormatListener] - Installing clipboard format listener...
2025-09-25 11:53:08:254 {P:2168, T:8356} [AddClipboardFormatListener] - AddClipboardFormatListener found in User32.dll...
2025-09-25 11:53:08:254 {P:2168, T:8356} [InstallClipboardFormatListener] - Clipboard format listener installed...
2025-09-25 11:53:08:254 {P:2168, T:8356} [InstallClipboardListener] - Clipboard format listener installed...
2025-09-25 11:53:08:255 {P:2168, T:9572} [CmdThread] - Started command thread...
2025-09-25 11:53:08:255 {P:2168, T:8356} [Main::InitApp] - Started Laser Pointer thread...
2025-09-25 11:53:08:256 {P:2168, T:8356} [Main::InitApp] - Started special keys thread...
2025-09-25 11:53:08:256 {P:2168, T:5748} [ClipboardThread] - Started clipboard thread...
2025-09-25 11:53:08:257 {P:2168, T:8356} [Main::InitApp] - Started xml msg thread...
2025-09-25 11:53:08:258 {P:2168, T:8356} [Main::InitApp] - Started application close thread...
2025-09-25 11:53:08:258 {P:2168, T:7616} [LaserPointerThread] - Starting Laser Pointer thread...
2025-09-25 11:53:08:258 {P:2168, T:2884} [SpecialKeyThread] - Started special key thread...

D. Identifying Clipboard Usage - BASupTsHelper Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupTSHelper_%PROCESSID%_%DATE%.log

Notes:

A new unique log file is generated for each remote session, with the Date and ProcessID associated with the session in the file name.
A lot of clipboard activity is likely automatic as a result of shared clipboard settings being pre-set and is not necessarily indicative of specific copy/paste actions to/from a remote host.

Log Events:

[StartClipboardRead]
[ReadClipboardFormat]
[ReadFromClipboard]
[ReadGenericDataFromClipboard]
[WriteToClipboard]
[WMIClipboardUpdate]

Example:

2025-09-25 11:57:38:778 {P:2168, T:8356} [WMClipboardUpdate] - WM_CLIPBOARDUPDATE received...
2025-09-25 11:57:38:778 {P:2168, T:8356} [WMClipboardUpdate] - ClipOwnerPID - 8000 | ClipHelperPID - 2040
2025-09-25 11:57:38:778 {P:2168, T:8356} [WMClipboardUpdate] - IsClipboardFormatAvailable - 0
2025-09-25 11:57:38:779 {P:2168, T:8356} [WMClipboardUpdate] - Clipboard changed...
2025-09-25 11:57:38:779 {P:2168, T:8356} [StartClipboardRead] - Signalling start clipboard read...
2025-09-25 11:57:38:780 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 1
2025-09-25 11:57:38:782 {P:2168, T:5748} [ReadFromClipboard] - Clipboard data available... | ClipboardFmtCount - 3 | SeqNumber - 15 | ClipType - 1 | ClipFormat - 1
2025-09-25 11:57:38:782 {P:2168, T:5748} [ReadGenericDataFromClipboard] - Reading generic data from clipboard...
2025-09-25 11:57:38:785 {P:2168, T:5748} [ReadGenericDataFromClipboard] - Clipboard data successfully read...
2025-09-25 11:57:38:788 {P:2168, T:5748} [ReadClipboardFormat] - Read 18596 bytes from clipboard...
2025-09-25 11:57:38:789 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 2
2025-09-25 11:57:38:789 {P:2168, T:5748} [ReadFromClipboard] - Clipboard data available... | ClipboardFmtCount - 3 | SeqNumber - 15 | ClipType - 2 | ClipFormat - 13
2025-09-25 11:57:38:789 {P:2168, T:5748} [ReadGenericDataFromClipboard] - Reading generic data from clipboard...
2025-09-25 11:57:38:790 {P:2168, T:5748} [ReadGenericDataFromClipboard] - Clipboard data successfully read...
2025-09-25 11:57:38:790 {P:2168, T:5748} [ReadClipboardFormat] - Read 9298 bytes from clipboard...
2025-09-25 11:57:38:793 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 3
2025-09-25 11:57:38:805 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 4
2025-09-25 11:57:38:816 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 5
2025-09-25 11:57:38:832 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 6
2025-09-25 11:57:38:849 {P:2168, T:5748} [ReadClipboardFormat] - Reading ClipboardType - 7
2025-09-25 11:57:39:749 {P:2168, T:2300} [HandleCPUMonitoringTimerOnTimer] -  Tt: 43% | TS Pr: 0.77% { Us: 0% +  Kr: 0.77% } | DWM Pr: 0.38% { Us: 0% +  Kr: 0.38% }
2025-09-25 11:57:54:816 {P:2168, T:2300} [HandleCPUMonitoringTimerOnTimer] -  Tt: 13% | TS Pr: 11% { Us: 0% +  Kr: 11% } | DWM Pr: 5.8% { Us: 0.78% +  Kr: 5.1% }
2025-09-25 11:58:09:905 {P:2168, T:2300} [HandleCPUMonitoringTimerOnTimer] -  Tt: 14% | TS Pr: 0.78% { Us: 0% +  Kr: 0.78% } | DWM Pr: 0% { Us: 0% +  Kr: 0% }
2025-09-25 11:58:20:192 {P:2168, T:3520} [WriteToClipboard] - ClipType - 1 | ClipCRC - 0xC6D66DC3 | ClipSize - 4604 | PacketSize - 4620 | Expected - 4620 | ClipFlags - 00000000
2025-09-25 11:58:20:193 {P:2168, T:3520} [WriteToClipboard] - Writing to clipboard 4604 bytes... | ClipType - 1
2025-09-25 11:58:20:194 {P:2168, T:3520} [WriteToClipboard] - ClipFlagsResult - 0x00000000
2025-09-25 11:58:20:194 {P:2168, T:3520} [WriteToClipboard] - Emptying clipboard...
2025-09-25 11:58:20:195 {P:2168, T:3520} [WriteToClipboard] - Writing generic data to clipboard... | Size - 4604
2025-09-25 11:58:20:197 {P:2168, T:3520} [WriteToClipboard] - Flag CLIPBOARD_FLAG_DONT_SYNC_HISTORY don't received...
2025-09-25 11:58:20:198 {P:2168, T:8356} [WMClipboardUpdate] - WM_CLIPBOARDUPDATE received...
2025-09-25 11:58:20:198 {P:2168, T:8356} [WMClipboardUpdate] - ClipOwnerPID - 2168 | ClipHelperPID - 2040
2025-09-25 11:58:20:198 {P:2168, T:8356} [WMClipboardUpdate] - IsClipboardFormatAvailable - 0

E. Identifying File Upload(to remote host/attacker) - Audit Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\AuditLog\AuditLog_%DATE%_$SESSIONID%_.log

Notes:

A new unique log file is generated for each remote session, with the Date and SessionID associated with the session in the file name.

Log Events:

[FILE UPLOAD]

Example:

2025-10-13 14:14:04:766 [603021130008280] [FILE UPLOAD] - Uploading file "C:\Users\USERNAME\Desktop\file.zip" [22548279 bytes]
2025-10-13 14:14:40:646 [603021130008280] [FILE UPLOAD] - Upload complete | File "file.zip" [22548279 bytes] [613.79 kB/s]

F. Identifying File Download(to local host) - Audit Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\AuditLog\AuditLog_%DATE%_$SESSIONID%_.log

Notes:

A new unique log file is generated for each remote session, with the Date and SessionID associated with the session in the file name.

Log Events:

[FILE DOWNLOAD]

Example:

2025-10-13 14:16:55:444 [603021130008280] [FILE DOWNLOAD] - Downloading file "C:\Users\USERNAME\Desktop\Rubeus.exe" [466432 bytes]
2025-10-13 14:16:55:946 [603021130008280] [FILE DOWNLOAD] - Download complete | File "C:\Users\USERNAME\Desktop\Rubeus.exe" [466432 bytes] [911.00 kB/s]

G. Identifying Registry Edits - BASupRegEditHlpr Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupRegEditHlpr_%DATE%.log

Notes:

This log file is only generated when the ‘Remote Registry’ functionality is triggerd in the remote session viewer, and will be generated each day the feature is used, there is no per session log, all sessions will be present in the same daily log.

Log Events:

[InitializeApp] - start of remote registry session
[HandlePacketModifyValue]
[HandlePacketRetrieveRegistryData]
[RenameRegValue]
[HandlePacketDeleteValue]
[HandlePacketDeleteKey]
[HandlePacketCloseModule] - end of remote registry session

Example:

2025-10-13 14:47:12:730 {8692} [ClipHelper] [Main] - Search path set...
2025-10-13 14:47:12:731 {8692} [ClipHelper] [Main] - CWD removed from  directory set...
2025-10-13 14:47:12:735 {8692} [ClipHelper] [InitializeApp] - Parsing command line arguments...
2025-10-13 14:47:12:735 {8692} [ClipHelper] [ParseCommandLineArguments] - ParamCount - 2
2025-10-13 14:47:12:736 {8692} [ClipHelper] [ParseCommandLineArguments] - ParamStr - C:\PROGRA~2\DAMEWA~1\BASupRegEditHlpr.exe -p nLIQY8vmlwczwFoOoV7gMfz6KkDEgssv
2025-10-13 14:47:12:736 {8692} [ClipHelper] [InitializeApp] - Connecting to IPC server...
2025-10-13 14:47:12:736 {8692} [ClipHelper] [ConnectToIPCServer] - Connecting to IPC server...
2025-10-13 14:47:12:737 {8692} [ClipHelper] [HandleIPCClientOnConnect] - Connected to server...
2025-10-13 14:47:12:738 {8692} [ClipHelper] [InitializeApp] - Connected to IPC server...
2025-10-13 14:47:12:890 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname></keyname>
2025-10-13 14:47:12:891 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - 
2025-10-13 14:47:12:998 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKU</rootkey><keyname></keyname>
2025-10-13 14:47:12:999 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKU | KeyName - 
2025-10-13 14:47:14:357 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE</keyname>
2025-10-13 14:47:14:358 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - SOFTWARE
2025-10-13 14:47:15:953 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname>
2025-10-13 14:47:15:954 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - SOFTWARE\Google
2025-10-13 14:47:17:661 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <req>vgdEIZXufvJvnOnh</req>
2025-10-13 14:47:18:911 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname><valuename></valuename><valuedata></valuedata>
2025-10-13 14:47:18:912 {8692} [ClipHelper] [HandlePacketCreateValue] - RootKey - HKLM | KeyName - SOFTWARE\Google | ValueName -  | ValueData - 
2025-10-13 14:47:18:912 {8692} [ClipHelper] [HandlePacketCreateValue] - Value created successfuly...
2025-10-13 14:47:19:115 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname>
2025-10-13 14:47:19:116 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - SOFTWARE\Google
2025-10-13 14:47:23:681 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <req>yD2ItISkzLg6whDi</req>
2025-10-13 14:47:23:825 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname><valuename>New Value #1</valuename><valuedata>test</valuedata>
2025-10-13 14:47:23:825 {8692} [ClipHelper] [HandlePacketModifyValue] - RootKey - HKLM | KeyName - SOFTWARE\Google | ValueName - New Value #1 | ValueData - test
2025-10-13 14:47:23:826 {8692} [ClipHelper] [HandlePacketModifyValue] - Value created successfuly...
2025-10-13 14:47:23:937 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname>
2025-10-13 14:47:23:938 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - SOFTWARE\Google
2025-10-13 14:47:29:698 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <req>YAvj10fDWn3VBU4J</req>
2025-10-13 14:47:31:469 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname><valuename>New Value #1</valuename><newvaluename>testname</newvaluename>
2025-10-13 14:47:31:470 {8692} [ClipHelper] [HandlePacketModifyValueName] - RootKey - HKLM | KeyName - SOFTWARE\Google | ValueName - New Value #1 | NewValueName - testname
2025-10-13 14:47:31:471 {8692} [ClipHelper] [RenameRegValue] - ValueName - New Value #1 | NewValueName - testname | ValueType - 1 | dwValueSize - 10
2025-10-13 14:47:31:472 {8692} [ClipHelper] [HandlePacketModifyValueName] - Value renamed successfuly...
2025-10-13 14:47:31:660 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname>
2025-10-13 14:47:31:661 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - SOFTWARE\Google
2025-10-13 14:47:34:713 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <req>R8KDgXVrVrPvSOa3</req>
2025-10-13 14:47:37:458 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname><valuename>testname</valuename>
2025-10-13 14:47:37:459 {8692} [ClipHelper] [HandlePacketDeleteValue] - RootKey - HKLM | KeyName - SOFTWARE\Google | ValueName - testname
2025-10-13 14:47:37:460 {8692} [ClipHelper] [HandlePacketDeleteKey] - Value deleted successfuly...
2025-10-13 14:47:37:507 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <rootkey>HKLM</rootkey><keyname>SOFTWARE\Google</keyname>
2025-10-13 14:47:37:507 {8692} [ClipHelper] [HandlePacketRetrieveRegistryData] - RootKey - HKLM | KeyName - SOFTWARE\Google
2025-10-13 14:47:40:717 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <req>vSKos7qaPJhUpxC0</req>
2025-10-13 14:47:46:235 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - <req>oxtBIfEpf5tpx9JV</req>
2025-10-13 14:47:48:266 {8692} [ClipHelper] [ProcessRegEditCmdPacket] - ReqXML - 
2025-10-13 14:47:48:267 {8692} [ClipHelper] [HandlePacketCloseModule] - Received PacketCloseModule...

H. Identifying System Shell Usage - BASupSrvc Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupSrvc_%DATE%.log

Notes:

This log file is generated once per day, there is no per session log, all sessions will be present in the same daily log.

Log Events:

[ProcessSystemShellPacket]
[TRmtSysShellThread]
[SysShellThread]
[HandleSystemShellShellStarted]
[HandleSystemShellShellTerminated]

Examples:

Example log file contents:

2025-10-13 14:50:31:540 {P:5820, T:5372} [HandleRemoteDesktopResume] - Remote desktop session resumed...
2025-10-13 14:50:31:545 {P:5820, T:8340} [ProcessSystemShellPacket] - MagicID match not found...
2025-10-13 14:50:31:546 {P:5820, T:8340} [ProcessSystemShellPacket] - Shell type - normal shell
2025-10-13 14:50:31:551 {P:5820, T:8340} [ProcessSystemShellPacket] - New system shell thread created - MID20251013185031305
2025-10-13 14:50:31:562 {P:5820, T:9312} [TRmtSysShellThread] - TRmtSysShellThread::Execute() started...
2025-10-13 14:50:31:575 {P:5820, T:9312} [TRmtSysShellThread::GetStartShellCmd] -  StartShellCMD - "C:\PROGRA~2\DAMEWA~1\BASupSysShell64.exe" MID20251013185031305 "cmd.exe /A"
2025-10-13 14:50:31:576 {P:5820, T:9312} [SysShellThread::Execute] - CreateProcessW called...
2025-10-13 14:50:31:576 {P:5820, T:9312} [SysShellThread::Execute] - StartShellCMD - "C:\PROGRA~2\DAMEWA~1\BASupSysShell64.exe" MID20251013185031305 "cmd.exe /A"
2025-10-13 14:50:31:576 {P:5820, T:9312} [SysShellThread::Execute] - StartShellApp - C:\PROGRA~2\DAMEWA~1\BASupSysShell64.exe
2025-10-13 14:50:31:576 {P:5820, T:9312} [SysShellThread::Execute] - dwProcStartFlags - 0x08000020
2025-10-13 14:50:31:628 {P:5820, T:9312} [SysShellThread::Execute] - CreateProcessW successful...
2025-10-13 14:50:31:629 {P:5820, T:9312} [HandleSystemShellShellStarted] - HandleSystemShellShellStarted called...
2025-10-13 14:50:32:604 {P:5820, T:5852} [ProcessKeepAlive] - Received keep alive packet...
2025-10-13 14:50:37:605 {P:5820, T:5852} [ProcessKeepAlive] - Received keep alive packet...
2025-10-13 14:50:42:604 {P:5820, T:5852} [ProcessKeepAlive] - Received keep alive packet...
2025-10-13 14:50:43:285 {P:5820, T:4764} [HandleCPUMonitoringTimerOnTimer] -  Tt: 32% | Pr: 3.6% | Us: 2.7% | Kr: 0.91%
2025-10-13 14:50:47:333 {P:5820, T:9312} [SysShellThread::Execute] - Shell terminating...
2025-10-13 14:50:47:344 {P:5820, T:9312} [SysShellThread::Execute] - Script ExitCode - 0x00000000
2025-10-13 14:50:47:344 {P:5820, T:9312} [SysShellThread::Execute] - Shell terminated...
2025-10-13 14:50:47:344 {P:5820, T:9312} [HandleSystemShellShellTerminated] - HandleSystemShellShellTerminated called...
2025-10-13 14:50:47:345 {P:5820, T:9312} [SysShellThread::Execute] - Thread terminating...
2025-10-13 14:50:47:345 {P:5820, T:9312} [SysShellThread::Execute] - Shell already terminated...

I. Identifying Set Blank Screen Usage - BASupTSHelper Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupTSHelper_%PROCESSID%_%DATE%.log

Notes:

A new unique log file is generated for each remote session, with the Date and ProcessID associated with the session in the file name.

Log Events:

[SpecialKeyThread::BlankScreen]
[SpecialKeyThread::UnblankScreen]

Examples:

Example log file contents:

2025-10-13 15:01:07:537 {P:4836, T:3516} [SpecialKeyThread::BlankScreen] - Turned off lock on wake AC...
2025-10-13 15:01:07:613 {P:4836, T:3516} [SpecialKeyThread::BlankScreen] - Turned off lock on wake DC...
2025-10-13 15:01:07:613 {P:4836, T:3516} [SpecialKeyThread::BlankScreen] - Turning off monitor...
2025-10-13 15:01:07:620 {P:4836, T:3516} [SpecialKeyThread::BlankScreen] - Creating timer...
2025-10-13 15:01:07:620 {P:4836, T:3516} [SpecialKeyThread::BlankScreen] - Enabling timer...
2025-10-13 15:01:07:620 {P:4836, T:3516} [SpecialKeyThread] - Blanked screen...
2025-10-13 15:01:08:529 {P:4836, T:5136} [CmdThread] - Timeout waiting for mouse data data ready...
2025-10-13 15:01:12:478 {P:4836, T:3516} [SpecialKeyThread::UnblankScreen] - Disabling timer...
2025-10-13 15:01:12:482 {P:4836, T:3516} [SpecialKeyThread::UnblankScreen] - Terminating timer...
2025-10-13 15:01:12:482 {P:4836, T:3516} [SpecialKeyThread::UnblankScreen] - Turning on monitor...
2025-10-13 15:01:12:582 {P:4836, T:3516} [SpecialKeyThread::UnblankScreen] - Restored lock on wake DC...
2025-10-13 15:01:12:645 {P:4836, T:3516} [SpecialKeyThread::UnblankScreen] - Restored lock on wake AC...
2025-10-13 15:01:12:645 {P:4836, T:3516} [SpecialKeyThread] - Unblanked screen...

J. Identifying Set Blank Screen Usage - BASupSrvc Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupSrvc_%DATE%.log

Notes:

This log file is generated once per day, there is no per session log, all sessions will be present in the same daily log.

Log Events:

[ExecuteSysCmd]
[HandleSysCmdExecute]
[HandleOnAfterSysCmdExecute]
[SpecialKeyThread]

Examples:

Example log file contents:

2025-10-13 15:01:07:455 {P:5820, T:1340} [ExecuteSysCmd] - SysCmdEx detected...
2025-10-13 15:01:07:456 {P:5820, T:1340} [HandleSysCmdExecute] - System command SYS_BLANKSCREEN...
2025-10-13 15:01:07:456 {P:5820, T:1340} [HandleOnAfterSysCmdExecute] - Received SYS_BLANKSCREEN...
2025-10-13 15:01:07:456 {P:5820, T:1340} [HandleOnAfterSysCmdExecute] - Turning off monitor in session mode...
2025-10-13 15:01:07:620 {P:5820, T:1340} [SpecialKeyThread] - Turning off monitor sent...
2025-10-13 15:01:12:478 {P:5820, T:1340} [ExecuteSysCmd] - SysCmdEx detected...
2025-10-13 15:01:12:478 {P:5820, T:1340} [HandleSysCmdExecute] - System command SYS_BLANKSCREEN...
2025-10-13 15:01:12:478 {P:5820, T:1340} [HandleOnAfterSysCmdExecute] - Received SYS_BLANKSCREEN...
2025-10-13 15:01:12:478 {P:5820, T:1340} [HandleOnAfterSysCmdExecute] - Turning on monitor in session mode...
2025-10-13 15:01:12:479 {P:5820, T:7096} [ProcessKeepAlive] - Received keep alive packet...
2025-10-13 15:01:12:645 {P:5820, T:1340} [SpecialKeyThread] - Turning on monitor sent...

L. Identifying Network Endpoints - BASupSrvc Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupSrvc_%DATE%.log

Notes:

This log file is generated once per day, there is no per session log, all sessions will be present in the same daily log.
These events can be useful for identifying connections to Dameware/N-Able infrastructure and might assist in locating additional installs of Dameware Remote Everywhere.

Log Events:

[PerformGatewayDNSResolution]
[PerformGatewayTCPConnectionTest]
[PerformGatewayTLSConnectionTest]

Examples:

Example log file contents:

2025-10-13 14:50:24:803 {P:5820, T:6788} [PerformGatewayDNSResolution] - Testing DNS resolution for ordgw-mct28.mspa.n-able.com...
2025-10-13 14:50:24:863 {P:5820, T:6788} [PerformGatewayDNSResolution] - DNS resolution successful | Result - 38.71.17.68 [TTL - 5s]
2025-10-13 14:50:24:863 {P:5820, T:6788} [PerformGatewayTCPConnectionTest] - Testing gateway TCP connectivity...
2025-10-13 14:50:24:864 {P:5820, T:6788} [GWConnMonitoringThread::GetGatewayHost] - GatewayUseFQDNToConnect - 0
2025-10-13 14:50:24:864 {P:5820, T:6788} [PerformGatewayTCPConnectionTest] - Testing gateway direct TCP [Port - 443] connectivity...
2025-10-13 14:50:24:865 {P:5820, T:6788} [TCPAsyncClient::SetOnDisconnectedEvent] - Setting onDisconnect event...
2025-10-13 14:50:25:015 {P:5820, T:6788} [PerformGatewayTCPConnectionTest] - Gateway 38.71.17.68:443 TCP connection OK | Connect - 126763 s | RTT - 22998 s
...SNIP...
2025-10-13 14:50:25:377 {P:5820, T:6788} [TLSClient::Connect] - TLS handshake successful...
2025-10-13 14:50:25:377 {P:5820, T:6788} [TLSClient::Connect] - Subject: /C=GB/L=Dundee/O=N-ABLE TECHNOLOGIES LTD/CN=*.mspa.n-able.com
Issuer: /C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
2025-10-13 14:50:25:377 {P:5820, T:6788} [TLSClient::Connect] - Protocol: TLSv1.2; Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
2025-10-13 14:50:25:377 {P:5820, T:6788} [TCPAsyncClient::StartTLS] - TLS connection established...
2025-10-13 14:50:25:378 {P:5820, T:6952} [TTLSClientConnThread] -  Thread started... ThreadID - 6952
2025-10-13 14:50:25:404 {P:5820, T:6788} [PerformGatewayTLSConnectionTest] - Gateway ordgw-mcu28.mspa.n-able.com:443 TLS connection OK | Connect - 360971 s | RTT - 27096 s

3. Extras

A. Session Statstics - BASupSrvc Log

Logfile:

C:\ProgramData\GetSupportService_Dameware\Logs\BASupSrvc_%DATE%.log

Notes:

This log file is generated once per day, there is no per session log, all sessions will be present in the same daily log.
Session Statistics will come at the end of each remote session

Log Events:

[StopSession]
[UpdateSessionStatistics]

Examples:

Example log file contents:

2025-10-13 15:02:24:075 {P:5820, T:9060} [CmdProc] - Command processing thread exited
2025-10-13 15:02:24:075 {P:5820, T:9060} [CmdProc] - Releasing cursor shape context...
2025-10-13 15:02:24:075 {P:5820, T:9060} [CmdProc] - CmdProcThread thread exited...
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] - Stopping session timeout timer...
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] - Stopped session timeout timer...
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] - SESSION STATISTICS
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   Session Start - 2025-10-13 15:00:50
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   Session End - 2025-10-13 15:02:24
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   TotalBytesSent - 175055 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   TotalBytesReceived - 7461 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   RemoteDesktopBytesSent - 162970 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   RemoteDesktopBytesReceived - 4895 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   RemoteDesktopImageBytesSent - 89984 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   FileTransferBytesSent - 633 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   FileTransferBytesReceived - 17 bytes
2025-10-13 15:02:24:110 {P:5820, T:6420} [StopSession] -   FileShareBytesSent - 0 bytes
2025-10-13 15:02:24:111 {P:5820, T:6420} [StopSession] -   FileShareBytesReceived - 0 bytes
2025-10-13 15:02:24:111 {P:5820, T:6420} [StopSession] - Updating session statistics to comserver...
2025-10-13 15:02:24:111 {P:5820, T:6420} [UpdateSessionStatistics] - Updating session statistics...
2025-10-13 15:02:24:112 {P:5820, T:6420} [ComServerUpdateSessionStatistics] - Posting To ComServer...