WinSecWiki > Security Settings > Local Policies > Audit Policy > Process Tracking

Audit Process Tracking

The Audit process tracking policy (sometimes called Detailed Tracking) tracks each program that is executed, either by the system or by end users. You can even determine how long the program was open. You can tie this policy, Audit logon events, and Audit object access events together by using the Logon ID, Process ID, and Handle ID fields within the various event descriptions and thereby paint a detailed picture of a user’s activities.

The following is an exerpt from my book, The Windows Security Log Revealed 

With the Detailed Tracking category (sometimes called Process Tracking), Windows gives you the ability to track programs executed on the system and to link those process events to logon sessions reported by Logon/Logoff events and to file access events generated by the Object Access category. For instance, you can use Detailed Tracking events to determine that Joe opened Excel. By linking Detailed Tracking events to Logon/Logoff events, you can further show that Joe opened Excel during a remote desktop logon; by linking Detailed Tracking events to Object Access events, you can document that Joe used Excel to open and modify c:\files\payroll.xls. Detailed Tracking also provides event IDs for monitoring the installation and removal of services and the maintenance of scheduled tasks. 

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom line

  • Windows XP, 2000 and 2003: I recommend enabling this policy for success on workstations and possibly member servers. We have not observed any failure events in this category.
  • Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Detailed Tracking (Windows Server 2008 and Vista).

Child articles:

Back to top


Additional Resources