cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
431
Views
1
Helpful
4
Replies

How to monitor if DUO client is active on Windows device

RF031
Level 1
Level 1

Hello,

Which process should we monitor to see if DUO client is actively running on Windows device?

We did find the link https://duo.my.site.com/s/article/5536?language=en_US but we want to check if it is actively running on the device and not if it is installed.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

I don't understand what you are trying to accomplish. What data point do you want to monitor?

Monitoring if the installation is there by seeing if the DLLs are present lets you know that the end-user did not uninstall the application.

Monitoring the registry keys HKLM\SOFTWARE\Duo Security\DuoCredProv and HKLM\Software\Policies\Duo Security\DuoCredProv lets you know that the configuration is intact and the end-user did not tamper with settings.

If you want to workstation logins authenticating with Duo you might want to do that from the Duo Authentication Logs in the Admin Panel or accessible via Duo Admin API's logging endpoint.

The Duo logon event is also captured locally in the Windows Event Viewer - Application log.

DuoKristina_0-1727452782834.png

 

Duo, not DUO.

View solution in original post

4 Replies 4

DuoKristina
Cisco Employee
Cisco Employee

Duo Authentication for Windows Logon (the application the article you linked is about) is not an application or service that actively runs all day, so there's nothing to monitor. It's a credential provider that only gets executed during system login.

Are you asking about something besides Duo Authentication for Windows Logon?

Duo, not DUO.

Thanks for your quick reply.
If DUO is not an application or service on a Windows device, then it will indeed be difficult to monitor this.
The only thing that can be monitored is whether DLLs are present?

I don't understand what you are trying to accomplish. What data point do you want to monitor?

Monitoring if the installation is there by seeing if the DLLs are present lets you know that the end-user did not uninstall the application.

Monitoring the registry keys HKLM\SOFTWARE\Duo Security\DuoCredProv and HKLM\Software\Policies\Duo Security\DuoCredProv lets you know that the configuration is intact and the end-user did not tamper with settings.

If you want to workstation logins authenticating with Duo you might want to do that from the Duo Authentication Logs in the Admin Panel or accessible via Duo Admin API's logging endpoint.

The Duo logon event is also captured locally in the Windows Event Viewer - Application log.

DuoKristina_0-1727452782834.png

 

Duo, not DUO.

Thanks for the answer.
We were looking for a way to check that DUO client is active on device and not uninstalled by a user. We will work on this and thanks again for the support!

Quick Links