deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/audit-process-creation.md
Brian Lich fa5ddfcf9d changing from ms.prod: W10 to ms.prod: w10
2016-06-02 15:42:37 -07:00

4.4 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
Audit Process Creation (Windows 10) This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). 67e39fcd-ded6-45e8-b1b6-d411e4e93019 security w10 deploy library Mir0sh

Audit Process Creation

Applies to

  • Windows 10
  • Windows Server 2016

Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).

These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.

Event volume: Low to Medium, depending on system usage.

This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\parameters ran specific process.
Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.
The event volume is typically medium-high level, depending on the process activity on the computer.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4688(S): A new process has been created.

  • 4696(S): A primary token was assigned to process.