Using Process Tracking Audit Policy in Windows | Ranjan.info

In this article, we will show how to enable process tracking audit policy in Windows to know which programs were running on the computer. Often, administrators are asked to provide information about what apps a user runs, when they last ran specific programs, etc. Furthermore, this feature can be useful when you are detecting malware and threat activity. You can get this information from the Windows event log and create a convenient report using PowerShell.

You can trace start/stop events for Windows application processes by using the Process Tracking Audit Policy.

  1. Open the Local Group Policy Editor (gpedit.msc,

    If you want to enable the process audit policy on computers in an Active Directory domain, use the Domain Group Policy Management Console, gpmc.msc,

  2. Go to the following GPO section: Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy;
  3. Enable Audit Process Tracking policy and select success checkbox; Enable audit process tracking policy
  4. Save the changes and update the local GPO settings on your computer using this command: gpupdate /force

Open Event Viewer (eventvwr.msc) and expand Windows Logs -> Security. Now, when an application (process) starts, process creation event with event id 4688 appears in the log.

A new process has been created.

The event information contains the username that ran the event (Creator Subject), executable process name (New Process Name), and a parent process from which the app was run (Creator Process Name,

Note that when you enable Audit Process Tracking All the events related to the above described policy, procedures are saved in the security log. If you want to reduce the number of events in the Event Viewer and only save information about process creation events, you can disable this policy and enable only the Advanced Audit Policy item: audit process creation (Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking).

Enable GPO Option: Audit Process Creation

To include information about process creation options (arguments that run with the application), enable Include command line in process creation events Options under Computer Configuration -> Administrative Templates -> System -> Audit Process Creation.

Include command line in process creation events

After you enable the policy, you will see what arguments were used to start the program process command line,

Process command line arguments in event details

Make sure to increase the maximum size of your security log file (the default size is 20MB). This allows the process history in Windows to be stored for a long time. To do this, open the Security Log property and expand Max Log Size (KB) value.
Increase the maximum security log size in Event Viewer

You can use the Event Viewer filter to analyze the apps the user is running. However, this is not very convenient. Below, I’ll show some PowerShell scripts that allow you to get useful reports with users’ app run history. In this case, I use Get-WinEvent Command to get events from Event Viewer log:

$processhistory = @()
$today = get-date -DisplayHint date -UFormat %Y-%m-%d
$events=Get-WinEvent -FilterHashtable @{
LogName="Security"
starttime="$today"
ID = 4688
}
foreach ($event in $events){
$proc = New-Object PSObject -Property @{
ProcessName=$event.Properties[5].Value
Time=$event.TimeCreated
CommandLine=$event.Properties[8].Value
User=$event.Properties[1].Value
ParentProcess=$event.Properties[13].Value
}
$processhistory += $proc
}
$processhistory| Out-GridView

This PowerShell script selects all process startup events for today and displays a list of processes, their startup times, and usernames in an out-of-grid view table.

PowerShell - Get Running Process History

You can use the object array you have to execute various audit queries.

For example:

  • To find all users running a specific app:$proc_name="notepad++.exe"
    $processhistory | where-object {$_.ProcessName –like “*$proc_name*”}|out-gridview

    Get list of users running a specific application on Windows

  • To display a list of apps that a specific user has run today:
    $username="aberg"
    $processhistory | where-object {$_.User –like “*$username*”}|out-gridview

We often use such scripts to analyze the apps users are running on RDS farm hosts.

In Windows, you can also find the program run history in %SystemRoot%\AppCompat\Programs\amcache.hve file. The file is locked in Windows and you can only see it if you boot the computer from a LiveCD or boot/installation media. The file contains startup and install/uninstall tags, as well as the executable’s checksum (SHA1). You can convert this file from binary to text format using third-party tools (for example, regripper,

Leave a Comment