enabling audit process tracking policy posted on Sunday, July 24, 2005
-
Finding the Programs Executed on a System
logparser "select TimeGenerated, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,3,''),'{}%','')) as User, EXTRACT_TOKEN(Strings,1,'') as Program from security where eventid=592"
-
http://www.ultimatewindowssecurity.com/encyclopedia.html
--
Enable the Audit process tracking audit policy for the desired computers. You'll find this setting in any Group Policy Object (GPO) under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in the Group Policy Management Console (GPMC). Then start monitoring for event ID 592 (A new process has been created), which Windows logs whenever a new executable is started. This event reports the full path of the program and the user who started the program, as Figure 1 shows. You can figure out when the program ended by looking in the log for an occurrence of event ID 593 (A process has exited) with the same Process ID value
-
Finding the Programs Executed on a System
logparser "select TimeGenerated, RESOLVE_SID(REPLACE_CHR(EXTRACT_TOKEN(Strings,3,''),'{}%','')) as User, EXTRACT_TOKEN(Strings,1,'') as Program from security where eventid=592"
-
http://www.ultimatewindowssecurity.com/encyclopedia.html
--