Windows 8.1 and Windows Server 2012 R2 introduced an awesome new feature, called Include command line in process creation events, a Group Policy setting that expands the Audit Process Creation policy so events in Event Viewer (eventvwr.msc) include the actual commands issued.
Last week, Microsoft introduced an update to Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 to introduce the same feature to these older Windows and Windows Server versions.
It’s as good as any reason to look into it.
In many Microsoft-centered networking infrastructure environment, it is hard to troubleshoot, monitor and/or investigate security-related issues.
Audit process creation
In many of these cases, the Audit Process Creation Group Policy setting (in Computer Configuration, Policies, Windows Settings, Security Settings, Advanced Audit Configuration, Detailed Tracking is enabled for specific systems (It is not enabled by default):
This setting determines whether the Operating System generates audit events when a process is created. Event-IDs 4688 are generated and logged in the Windows Security log.
Now, after you apply KB3004375 to Windows 7, Windows 8, Windows Server 2008 R2 and/or Windows Server 2012, you see a new Group Policy setting in Computer Configuration, Policies, Administrative Templates, System, Audit Process Creation, named Include command line in process creation events:
When you enable this setting, the events in Event Viewer (eventvwr.msc) get expanded with the Process Command Line: information. The two screenshots below, made on a Windows Server 2012 R2 installation, show two events in Event Viewer with Event ID 4688. The left event was logged before the Include command line in process creation events Group Policy setting was enabled. The screenshot on the right shows the event with the setting enabled:
Command line auditing can be a super useful tool for troubleshooting, monitoring and/or investigating security-related issues. It might be the missing piece of the puzzle on your Windows 7, Windows 8, Windows Server 2008 R2 and/or Windows Server 2012 installations. If it is, don’t hesitate to roll out KB3004375 (after testing).
Running Windows 8.1 and Windows Server 2012 R2 and in need for some command line auditing intelligence? Simply enable it.
Related Knowledgebase articles
3004375 Microsoft security advisory: Update to improve Windows command-line auditing: February 10, 2015
Audit Process Creation
Advanced Security Audit Policy Step-by-Step Guide
Best Practices for Securing Active Directory
How to Create an Audit Plan
Best Practices in Internal Audit
WinSecWiki – Process Creation