Understanding and Enabling Command-Line Auditing
Command-line auditing is a useful extension to the Windows auditing and event system, but it isn't enabled by default. Here's how to enable it.
December 16, 2014
Q: What exactly is the command-line auditing feature that Microsoft introduced in Windows 8.1 and Windows Server 2012 R2?
A: Command-line auditing is an extension to the Windows auditing and event system. When enabled, it adds the detailed command-line arguments used by a process to ID 4688 events in the Windows security event log.
Command-line auditing isn't enabled by default. To enable it, you must do the following:
You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit PoliciesDetailed Tracking.
You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer ConfigurationAdministrative TemplatesSystemAudit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
ProcessCreationIncludeCmdLine_Enabled registry key value to 1.
For security and privacy reasons, Microsoft doesn't recommend that you enable command-line auditing permanently. When this feature is enabled, any user that has read access to Windows security events will be able to read the command-line arguments for any successfully created process. Keep in mind that command-line commands might contain confidential information, including passwords and other user data. You can find more information about the command-line auditing feature in the TechNet article "Command line process auditing."
About the Author
You May Also Like