mysocialrelop.blogg.se - Process monitor command line

Because of this additional logging we can now see that not only was the wscript.exe process started, but that it was also used to execute a VB script. Prior to this update none of the information for Process Command Line gets logged. Review the updated event ID 4688 in REF _Ref366427278 \h Figure 16.

"Include command line in process creation events"įigure SEQ Figure \* ARABIC 16 Event 4688.

You enable via GPO, but it is disabled by default

Application and Services Logs\Microsoft\Windows\AppLocker.

It will also log SHA1/2 hash of the executable in the Applocker event log

The pre-existing process creation audit event ID 4688 will now include audit information for command line processes.

However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide.