WinSecWiki > Security Settings > Local Policies > Audit Policy > Process Tracking > Process Creation

Process Creation

This category is logged on all types of computers and allows you to track every program that starts on the local computer. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4688	A new process has been created
4696	A primary token was assigned to process.

Upcoming Webinars

Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example
Assessing the Security of Your Active Directory: User Accounts
Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Process Tracking

•	Process Creation
•	Removable Storage Devices
•	Process Termination
•	DPAPI Activity
•	RPC Events

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.