Table of Contents
Process Auditing
| Field | Value |
|---|---|
| Event name | process creation |
| Location | windows security log |
| Operating Systems | Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10, Windows Server 2019 and 2022 |
| Category • Subcategory | Process Tracking • Process Creation |
| Type | audit Success, audit Failure |
| Default setting | not configured |
| Event ID | 4688, 4689 |
| Event Fidle | New Process ID, New Process Name, Token Elevation Type, Mandatory Label, Creator Process ID, Creator Process Name, Process Command Line |
Overview
Regularly auditing the processes on your network can help you detect any malicious processes that may be running on your system. For instance, if a user unintentionally downloads malware, it can create multiple processes that can harm your network. By enabling Audit Process Creation, you can easily detect such processes. Once you identify them, you can take the necessary actions to remove them and prevent any further damage to your system.
Enable Audit Process Creation
- Open the Group Policy MMC snapin (
gpedit.msc). - Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
Configure the following audit events and Success - Failure checkboxes
Once Audit Process Creation is enabled, it will record the following event IDs:
- 4688: A new process has been created.
- 4696: A primary token has been assigned to the process. ( this event is a deprecated event )
Enable CommandLine Field
For various security and usability reasons, command line auditing is disabled by default. Follow the steps below to enable it.
- Open the Group Policy MMC snapin (
gpedit.msc). - Navigate to Computer Configuration > Administrative Templates > System > Audit Process Creation, click the Include command line in the process creation event setting, then select the Enabled radio button.
Confirm Process Creation Event
To list the set auditing policies, open the command prompt and run the command auditpol /get /subcategory:"Process Creation"
You can run any command (here i run ipconfig /all) to check generated events in the Event Viewer.
