Token Elevation Type: TokenElevationTypeLimited (3) New Process Name: C:\Program Files (x86)\Event Log Explorer\elex.exe First, as expected, event 4688 was registered in Security log: A new process has been created. I will run Event Log Explorer (elex.exe) for test. Running this application generates a number of events. Let’s check what events generated when we run an application. After enabling process auditing, Windows will register the following events in Security log: You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). Windows security auditing lets you enable process tracking and monitor process creation and process termination. When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers.
0 Comments
Leave a Reply. |