System changes after Kaspersky Embedded Systems Security for Windows installation

When Kaspersky Embedded Systems Security for Windows and the set of "Administration Tools" (including the Application Console) are installed together, the Windows Installer service will make the following modifications on the protected device:

• Kaspersky Embedded Systems Security for Windows folders are created on the protected device and on the device where the Application Console is installed.
• Kaspersky Embedded Systems Security for Windows services are registered.
• Kaspersky Embedded Systems Security for Windows user group is created.
• Kaspersky Embedded Systems Security for Windows keys are registered in the system registry.
• Kaspersky Embedded Systems Security OS Upgrade Detect system task that is displayed in the Windows Task Scheduler is created.

These changes are described below.

Kaspersky Embedded Systems Security for Windows folders on a protected device

When Kaspersky Embedded Systems Security for Windows is installed, the following folders are created on a protected device:

• Kaspersky Embedded Systems Security for Windows default installation folder containing the Kaspersky Embedded Systems Security for Windows executable files depend on the operating system bit set. Therefore, the default installation folders are as follows:
  • For the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security
  • On the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded Systems Security
• Management Information Base (MIB) files containing a description of the counters and hooks published by Kaspersky Embedded Systems Security for Windows via the SNMP protocol:
  • %Kaspersky Embedded Systems Security%\mibs
• 64-bit versions of Kaspersky Embedded Systems Security for Windows executable files (this folder will be created only during installation of Kaspersky Embedded Systems Security for Windows on the 64-bit version of Microsoft Windows):
  • %Kaspersky Embedded Systems Security%\x64
• Kaspersky Embedded Systems Security for Windows service files:
  • %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Data
  • %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Settings
  • %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Dskm

  For Windows XP the path to the Kaspersky Lab folder is %ALLUSERSPROFILE%\Application Data

• Files with settings for update sources:

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Update

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Update

• Updates of databases and software modules downloaded using the Copying Updates task (the folder will be created the first time updates are downloaded using the Copying Updates task).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Update\Distribution

• Task logs and system audit log.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Reports

• Set of databases currently in use.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Bases\Current

• Backup copies of databases; they are overwritten each time the databases are updated.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Bases\Backup

• Temporary files created during execution of update tasks.

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Bases\Temp

• Quarantined objects (default folder).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Quarantine

• Objects in backup (default folder).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Backup

• Objects restored from backup and quarantine (default folder for restored objects).

  %ProgramData%\Kaspersky Lab\Kaspersky Embedded Systems Security\3.3\Restored

Folder created during installation of Application Console

The Application Console default installation folders containing the "Administration Tools" files depend on the operating system bit set. Therefore, the default installation folders are as follows:

• For the 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools
• For the 64-bit version of Microsoft Windows: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools

Kaspersky Embedded Systems Security for Windows services

The following Kaspersky Embedded Systems Security for Windows services start using the local system (SYSTEM) account:

• Kaspersky Security Service (KAVFS) – essential Kaspersky Embedded Systems Security for Windows service that manages Kaspersky Embedded Systems Security for Windows tasks and workflows.
• Kaspersky Security Management Service (KAVFSGT) – this service is intended for Kaspersky Embedded Systems Security for Windows application management through the Application Console.
• Kaspersky Security Exploit Prevention Service (KAVFSSLP) – this service acts as an intermediary to communicate security settings to external security agents, and to receive data about security events.

Kaspersky Embedded Systems Security for Windows group

ESS Administrators is a group on the protected device whose users have full access to the Kaspersky Security Management Service and all Kaspersky Embedded Systems Security functions.

System registry keys

When Kaspersky Embedded Systems Security for Windows is installed, the following system registry keys are created:

• Properties of the Kaspersky Embedded Systems Security for Windows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFS]
• Kaspersky Embedded Systems Security for Windows event log settings (Kaspersky Event Log): [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Kaspersky Security]
• Properties of the Kaspersky Embedded Systems Security for Windows management service: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KAVFSGT]
• Performance counter settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security\Performance]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kaspersky Security x64\Performance]
• SNMP Protocol Support component settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.3\SnmpAgent]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.3\SnmpAgent]
• Dump file settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.3\CrashDump]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.3\CrashDump]
• Trace file settings:
  • For the 32-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\ESS\3.3\Trace]
  • For the 64-bit version of Microsoft Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.3\Trace]
• Settings for application tasks and functions: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\ESS\3.3\Environment]

Kaspersky Embedded Systems Security OS Upgrade Detect system task

The Windows Installer service creates a Kaspersky Embedded Systems Security OS Upgrade Detect task during application installation. The task is started immediately after it is created and later at every OS startup. The task checks the version of the drivers used by the application: if an operating system version is updated, the application updates the drivers for the corresponding version of the operating system.

The task does not affect the application and can be deleted. We recommend to keep operating system upgrade scenario in mind.