WinSecWiki > Security Settings > Local Policies > Audit Policy > Process Tracking > Process Creation

Process Creation

This category is logged on all types of computers and allows you to track every program that starts on the local computer. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID Title
4688 A new process has been created
4696 A primary token was assigned to process.

Back to top


Additional Resources