I recently encountered an interesting issue while working with Windows security auditing. I had enabled process creation auditing on several servers, but noticed that some servers were showing the process command line in Event 4688, while others only displayed the process name with a blank command line field. This inconsistency was puzzling, and I needed to understand why this was happening.
The Problem
When examining Event 4688 (A new process has been created) in the Windows Security log, I found events that looked like this:
This is the data below:
A new process has been created.
Creator Subject:
Security ID: <redacted>
Account Name: <redacted>
Account Domain: <redacted>
Logon ID: 0x2432EB
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x43b8
New Process Name: C:\Windows\System32\net1.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x576c
Creator Process Name: C:\Windows\System32\net.exe
Process Command Line:
The key field I needed was Process Command Line, which shows the full command with arguments. However, on some servers, this field was completely blank despite having process creation auditing enabled.
Understanding the Components
After investigation, I discovered that Windows process auditing requires two separate configurations:
- Audit Policy Configuration - Controls whether process events are logged at all
- Registry/Group Policy Setting - Controls whether command line details are included in those events
Many administrators (myself included initially) assume that enabling process creation auditing automatically includes command line information. This is not the case.
Diagnostic Steps
Here's how I diagnosed the issue:
1. Check Current Audit Policy Settings
First, I verified that process creation auditing was enabled:
auditpol /get /subcategory:"Process Creation"
If this shows "Success" and/or "Failure" as enabled, then Event 4688 should be generated.
2. Check for Command Line Logging Registry Key
Next, I checked if command line logging was enabled:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled
Or using PowerShell:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -ErrorAction SilentlyContinue
If this returns:
- Value 0x1 = Command line logging is enabled
- Value 0x0 = Command line logging is disabled
- ERROR: The system was unable to find the specified registry key or value = Not configured (defaults to disabled)
The Solution
To enable full process auditing with command lines, I needed to configure both components:
Step 1: Enable Process Creation Auditing
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
This enables:
- Event ID 4688 - Process creation
- Event ID 4689 - Process termination
Step 2: Enable Command Line Logging
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
Or via PowerShell:
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force
Step 3: Apply the Changes
The good news is that no reboot is required. The changes take effect immediately for new processes. However, I typically run:
gpupdate /force
This ensures any related Group Policy settings are also refreshed.
Testing the Configuration
To verify the configuration is working:
- Open a new Command Prompt
- Run a test command:
net user %username% - Open Event Viewer → Windows Logs → Security
- Filter for Event ID 4688
- Check the most recent event - it should now include the full command line
Disabling Process Command Line Auditing
If I need to disable command line logging while keeping process auditing active:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
To completely disable process auditing:
auditpol /set /subcategory:"Process Creation" /success:disable /failure:disable
auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable
Resulting Event ID
When these settings have been applied the event will now look like this:
Conclusion
The key takeaway from my investigation is that Windows process auditing is a two-part configuration:
- Auditpol determines if events are logged
- Registry/Group Policy determines what details are included
If you're seeing Event 4688 but missing command line information, the ProcessCreationIncludeCmdLine_Enabled registry setting is likely not configured. This subtle distinction isn't immediately obvious and can lead to incomplete security monitoring if not addressed.