Architecture Diagram
File Locations
The Appmon files are part of the common base agent, and are always deployed on the agent
Installer:
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\Installer.exe
Service files:
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\IvAppMonSvc.exe
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\IvAppMon.dll
Service configuration file:
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\configuration.xml
Driver files:
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\IvAppMon.sys
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\IvAppMon64.sys
SQLite assemblies:
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\System.Data.SQLite.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\x64\SQLite.Interop.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\x86\SQLite.Interop.dll
UI with its localization files:
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\IvAppMonUI.exe
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\de-de\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\es-es\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\fr-fr\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\it-it\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\ja-jp\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\pt-br\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\ru-ru\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\zh-cn\IvAppMonUI.resources.dll
- C:\Program Files (x86)\LANDesk\LDClient\AppMon\zh-tw\IvAppMonUI.resources.dll
Installation on the endpoint
Appmon is dynamically enabled/disabled by vulscan, depending on the “User feedback” option:
When this option is enabled, vulscan calls installer.exe, which will automatically install the appmon "engine" in the following locations:
Service component:
- C:\Program Files\Ivanti\Ivanti Application Monitor\IvAppMonSvc.exe
- C:\Program Files\Ivanti\Ivanti Application Monitor\IvAppMon.dll
- C:\Program Files\Ivanti\Ivanti Application Monitor\System.Data.SQLite.dll
- C:\Program Files\Ivanti\Ivanti Application Monitor\SQLite.Interop.dll (x64 or x86 version depending on the platform)
Driver component:
- C:\Windows\system32\drivers\IvAppMon.sys (x64 or x86 version depending on the platform)
Please note that the Appmon component is also used by Ivanti Pulse.
That's why the "engine" files are installed in "C:\Program Files\Ivanti\Ivanti Application Monitor" instead of using them directly from "C:\Program Files (x86)\LANDesk\LDClient\AppMon".
Since EPM and Pulse can be installed on the same computer, the appmon installer will not remove the engine as long as at least one component is still using it.
Database file
The appmon service records the process activity in the following database:
C:\ProgramData\LANDesk\Data\IvAppMon.db
This is a SQLite database which can be opened using standard tools (i.e. DB Browser for SQLite)
Debug logging
Appmon components use the following log files:
- C:\ProgramData\LANDesk\Log\IvAppMonSvc.log
- C:\ProgramData\LANDesk\Log\ivappmonui-{sessionId}.log
Verbose debugging can be activated by creating the following registry key:
- HKLM \SYSTEM\CurrentControlSet\Services\IvAppMonSvc | Debug (DWORD) 1
A service restart is required when switching to debug mode.In debug mode, the log files are displayed as following:
- C:\ProgramData\LANDesk\Log\IvAppMonSvc-{yyyy-mm-dd-hhmmss}.log
- C:\ProgramData\LANDesk\Log\IvAppMonUI-{sessionId}-{yyyy-mm-dd-hhmmss}.log
Application monitoring workflow
In green: specific to EPM
In gray: specific to Pulse
Patch monitoring workflow
Vulscan uses the following registry key to indicate to appmon if a process is a patch process:
- HKLM \SOFTWARE\WOW6432Node\LANDesk\ManagementSuite\WinClient\PatchMonitoring
Application crash interception
The Appmon service monitor the Windows Event Log to detect application crash (event id 1000).
When a crash is detected, the crash information are recorded in the following registry key:
- HKLM\SYSTEM\CurrentControlSet\Services\IvAppMonSvc\PatchMonitoring\AppCrashes
User Interface
Double click or right click on the tray icon near the Windows clock
Client to Core communication
User report information are written into C:\ProgramData\Vulscan\ActionHistory.{CoreName}.xml
Data is sent by vulscan.exe
Troubleshooting
- Check if the appmon service is installed:
- Check if the following files exist:
- C:\Program Files\Ivanti\Ivanti Application Monitor\IvAppMonSvc.exe
- C:\Program Files\Ivanti\Ivanti Application Monitor\IvAppMon.dll
- C:\Program Files\Ivanti\Ivanti Application Monitor\System.Data.SQLite.dll
- C:\Program Files\Ivanti\Ivanti Application Monitor\SQLite.Interop.dll
- Check if the service registry key exists:
- HKLM\SYSTEM\CurrentControlSet\Services\IvAppMonSvc
- Check if the following files exist:
- Check if the appmon driver is installed:
- Check if the following files exist:
- C:\Windows\system32\drivers\IvAppMon.sys
- Check if the IvAppMon.sysfile is digitally signed by Ivanti or LANDesk AND Microsoft
- Check if the driver registry key exists:
- HKLM\SYSTEM\CurrentControlSet\Services\IvAppMon
- Check if the following files exist:
- Check if the appmon service is running
- services.msc
- taskmgr.exe
- If the appmon service still doesn't start, check the Windows event log for any crash event related to IvAppMonSvc.exe
Log File Location
- C:\ProgramData\LANDesk\Log\IvAppMon*