Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Using Process Tracking Audit Policy in Windows

November 23, 2022 Group PoliciesPowerShellWindows 10Windows Server 2019

Using Process Tracking Audit Policy in Windows

In this article, we will show how to enable the process tracking audit policy in Windows in order to find out what programs were running on a computer. Quite often, the administrator is asked to provide information about what apps the user runs, when they last ran the specific program, etc. Also, this feature can be useful then you tracing malware and threat activity. You can get this information from the Windows Event Log and make a convenient report using PowerShell.

You can trace start/stop events for Windows application processes using the process tracking audit policy.

  1. Open the Local Group Policy Editor (gpedit.msc);
    If you want to enable the process audit policy on computers in an Active Directory domain, use the domain Group Policy Management console, gpmc.msc.
  2. Go to the following GPO section: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy;
  3. Enable the Audit process tracking policy and select the Success checkbox;
    Earlier, we showed how to use audit events to find out the process that is the source of the account lockout event on a computer.
    enable Audit process tracking policy
  4. Save the changes and update the local GPO settings on your computer using this command: gpupdate /force

Open the Event Viewer (eventvwr.msc) and expand Windows Logs -> Security. Now, when any application (process) starts, the Process Creation event with the EventID 4688 appears in the log.

A new process has been created.

The event information contains the username who has run the program (Creator Subject), the name of a process executable (New Process Name), and a parent process the app was run from (Creator Process Name).

EventID 4688: A new process has been created.

A process termination event (A process has exited) has the EventID 4689. Previously, we showed how to run a script (do an action) when running/stopping an app in Windows using these events and a Task Scheduler trigger.

Note that when you enable the Audit process tracking policy described above, all events related to processes are saved to the Security log. If you want to reduce the number of events in the Event Viewer and save only the information about process creation events, you may disable this policy and enable the advanced audit policy item only: Audit Process Creation (Windows Settings -> Security Settings -> Advanced Audit Policy Configurations -> System Audit Policy -> Detailed Tracking).

Enable GPO the option: Audit Process Creation

To include information about process creation options (arguments the apps are run with), enable the Include command line in process creation events option under Computer Configuration -> Administrative Templates -> System -> Audit Process Creation.

Include command line in process creation events

After you enable the policy, you will see what argument was used to start a program in the Process Command Line.

process command line arguments in event description

Be sure to increase the max size of your Security log file (the default size is 20MB). This allows to store the process history in Windows for a longer period of time. To do it, open the Security log properties and increase the Maximum log size (KB) value.
increase security log max size in event viewer

You can use the Event Viewer filters to analyze apps run by a user. However, it is not very convenient. Below, I’ll show some PowerShell scripts that allow you to get handy reports with the history of running apps by users. In this case, I use the Get-WinEvent command to get events from the Event Viewer log:

$processhistory = @()
$today = get-date -DisplayHint date -UFormat %Y-%m-%d
$events=Get-WinEvent -FilterHashtable @{
LogName = 'Security'
starttime="$today"
ID = 4688
}
foreach ($event in $events){
$proc = New-Object PSObject -Property @{
ProcessName=$event.Properties[5].Value
Time=$event.TimeCreated
CommandLine=$event.Properties[8].Value
User=$event.Properties[1].Value
ParentProcess=$event.Properties[13].Value
}
$processhistory += $proc
}
$processhistory| Out-GridView

This PowerShell script selects all process startup events for today and displays a list of processes, their startup times, and usernames in an Out-GridView table.

powershell - get running process history

You can manage processes in Windows using PowerShell.

You may use the object array you have got to execute different audit queries.

For example:

  • To find all users who have run a specific app:$proc_name="notepad++.exe"
    $processhistory | where-object {$_.ProcessName –like “*$proc_name*”}|out-gridview
    Get a list of users who run a specific application on Windows
  • To display a list of apps that a specific user has run today:
    $username="aberg"
    $processhistory | where-object {$_.User –like “*$username*”}|out-gridview

We often use such scripts to analyze apps run by users on the RDS farm hosts.

In Windows, you can also find the history of running programs in %SystemRoot%\AppCompat\Programs\Amcache.hve file. The file is locked in Windows and you may view it only if you boot a computer from a LiveCD or a boot/installation media. The file contains startup and install/uninstall tags, as well as executable checksums (SHA1). You can convert this file from binary to a text format using third-party tools (for example, regripper).

Note that PowerShell also keeps a history of the commands you run in a text log file.

0 comment
2
Facebook Twitter Google + Pinterest
previous post
Exporting Microsoft 365 (Exchange Online) Mailbox to PST
next post
How to Restore Deleted EFI System Partition in Windows?

Related Reading

How to Run Program without Admin Privileges and...

March 24, 2023

Configure Network Settings on Windows with PowerShell: IP...

March 24, 2023

Exchange Offline Address Book Not Updating in Outlook

March 21, 2023

Attaching Host USB Devices to WSL or Hyper-V...

March 20, 2023

Print Screen Key Not Working in Windows

March 17, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Run Program without Admin Privileges and Bypass UAC Prompt?

    March 24, 2023
  • Configure Network Settings on Windows with PowerShell: IP Address, DNS, Default Gateway, Static Routes

    March 24, 2023
  • Exchange Offline Address Book Not Updating in Outlook

    March 21, 2023
  • Attaching Host USB Devices to WSL or Hyper-V VM

    March 20, 2023
  • Sending an E-mail to a Microsoft Teams Channel

    March 17, 2023
  • How to Restore Deleted Users in Azure AD (Microsoft 365)?

    March 16, 2023
  • Fix: Remote Desktop Services Is Currently Busy

    March 15, 2023
  • Send-MailMessage: Sending E-mails with PowerShell

    March 14, 2023
  • Clear Cache and Temp Files in User Profiles on Windows (RDS) with PowerShell and GPO

    March 13, 2023
  • Prevent Users from Creating New Groups in Microsoft 365 (Teams/Outlook)

    March 6, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Updating List of Trusted Root Certificates in Windows
  • Configure Google Chrome Settings with Group Policy
  • How to Delete Old User Profiles in Windows?
  • How to Find the Source of Account Lockouts in Active Directory?
  • How to Hide or Show User Accounts from Login Screen on Windows 10/11?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Disable or Enable USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top