1. To validate the service:

     

    Run sc query uevagentservice

     

    If the service is running you should get confirmation along the following lines (the key is that the service’s state is ‘RUNNING’):

     

    c:\>sc query uevagentservice

            SERVICE_NAME: uevagentservice

            TYPE               : 10  WIN32_OWN_PROCESS

            STATE              : 4  RUNNING

                                    (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)

            WIN32_EXIT_CODE    : 0  (0x0)

            SERVICE_EXIT_CODE  : 0  (0x0)

            CHECKPOINT         : 0x0

            WAIT_HINT          : 0x0

     

     

  2. To validate the UE-V Agent Driver:

                    Run sc query uevagentdriver

                    
    If the service is running you should get confirmation along the following lines:
        
                    c:\>sc query uevagentdriver
                            
                          SERVICE_NAME: uevagentdriver

     

            TYPE               : 2  FILE_SYSTEM_DRIVER

     

            STATE              : 4  RUNNING

     

                                    (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

     

            WIN32_EXIT_CODE    : 0  (0x0)

     

            SERVICE_EXIT_CODE  : 0  (0x0)

     

            CHECKPOINT         : 0x0

     

            WAIT_HINT          : 0x0

     

     

     

  3. To validate the Agent DLL is being loaded by monitored processes:

 

    1. Load a program who’s settings are configured to roam (e.g. Notepad.exe) 
    2. Download and install Process Explorer from http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
    3. In Process Explorer, click on View, then Show Lower Pane
    4. In Process Explorer, click on View, then Lower Pane View then DLLs
    5. Click to select Notepad.exe in the process list in the top pane of Process Explorer
    6. Verify that Microsoft.Uev.AppAgent.dll is listed in the lower pane of Process Explorer.  This validates that UE-V has been successfully injected in to the Notepad.exe process.