Understanding and Enabling Command-Line Auditing

Command-line auditing is a useful extension to the Windows auditing and event system, but it isn't enabled by default. Here's how to enable it.

Jan De Clercq

December 16, 2014

1 Min Read
Windows Gatekeeper QAs
Windows Gatekeeper Q&As

Q: What exactly is the command-line auditing feature that Microsoft introduced in Windows 8.1 and Windows Server 2012 R2?

A: Command-line auditing is an extension to the Windows auditing and event system. When enabled, it adds the detailed command-line arguments used by a process to ID 4688 events in the Windows security event log.

Command-line auditing isn't enabled by default. To enable it, you must do the following:

  1. You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationSystem Audit PoliciesDetailed Tracking.

  2. You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer ConfigurationAdministrative TemplatesSystemAudit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemAudit
    ProcessCreationIncludeCmdLine_Enabled registry key value to 1.

For security and privacy reasons, Microsoft doesn't recommend that you enable command-line auditing permanently. When this feature is enabled, any user that has read access to Windows security events will be able to read the command-line arguments for any successfully created process. Keep in mind that command-line commands might contain confidential information, including passwords and other user data. You can find more information about the command-line auditing feature in the TechNet article "Command line process auditing."

About the Author

Jan De Clercq

Jan De Clercq

See more from Jan De Clercq
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

the word AI above a powershell logo with arrows pointing to and from a microsoft word document
PowerShell
PowerShell and AI: Create a Microsoft Word CopilotPowerShell and AI: Create a Microsoft Word Copilot
byBrien Posey
Aug 16, 2024
7 Min Read
code
Software Development Techniques
Micro-Monolith: The Best of Both Worlds in App ArchitectureMicro-Monolith: The Best of Both Worlds in App Architecture
byChristopher Tozzi
Aug 19, 2024
4 Min Read
Laws and regulations with padlock on cloud icons on laptop computer screen
Cloud Computing
What Is a Sovereign Cloud and Who Truly Benefits From It?What Is a Sovereign Cloud and Who Truly Benefits From It?
byChristopher Tozzi
Jul 18, 2024
6 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

robot arm and laptop on the table
Digital Transformation
How To Build Your First ROS ApplicationHow To Build Your First ROS Application
the word AI above a powershell logo with arrows pointing to and from a microsoft word document
PowerShell
PowerShell and AI: Create a Microsoft Word CopilotPowerShell and AI: Create a Microsoft Word Copilot
photo of a robot and chart showing the steps in ROS 2 deployment process
Digital Transformation
How To Deploy ROS 2 on Ubuntu 22.04: A Step-by-Step GuideHow To Deploy ROS 2 on Ubuntu 22.04: A Step-by-Step Guide
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

multicloud concept
Cloud Computing
Cross-Cloud: The Next Evolution in Cloud Computing?Cross-Cloud: The Next Evolution in Cloud Computing?
animated robotic arm and the text getting started with robotic operating system (ROS)
Digital Transformation
Introduction to Robotics Operating System (ROS)Introduction to Robotics Operating System (ROS)