Q: What exactly is the command-line auditing feature that Microsoft introduced in Windows 8.1 and Windows Server 2012 R2?
A: Command-line auditing is an extension to the Windows auditing and event system. When enabled, it adds the detailed command-line arguments used by a process to ID 4688 events in the Windows security event log.
Command-line auditing isn't enabled by default. To enable it, you must do the following:
- You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking.
-
You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer Configuration\Administrative Templates\System\Audit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
ProcessCreationIncludeCmdLine_Enabled registry key value to 1.
For security and privacy reasons, Microsoft doesn't recommend that you enable command-line auditing permanently. When this feature is enabled, any user that has read access to Windows security events will be able to read the command-line arguments for any successfully created process. Keep in mind that command-line commands might contain confidential information, including passwords and other user data. You can find more information about the command-line auditing feature in the TechNet article "Command line process auditing."
