When you start a program you are creating a process that stays open until the program exits.You can correlate this event to other events by Process ID to determine what the program did while it ran and when it exited (event 4689 ).
Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. ![]() One of the examples below shows the SYSTEM account starting RuntimeBroker.exe as a different user. Process ID allows you to correlate other events logged during the same process. To determine when the program ended look for a subsequent event 4689 with the same Process ID. Microsoft Windows Security Auditing 4624 Anonymous Logon Windows Full Token IsA full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Its a limited token with administrative privileges removed and administrative groups disabled. ![]() This field documents the integrity of the process which is determined from the user integrity level and the file integrity level of the EXE. Learn more about MIC at (vvs.85).aspx. The actual values observed so far include. Look for a preceding event 4688 with a New Process ID that matches this Creator Process process ID - or if on Win10 or later look at the next field to get EXE name of the parent process. See Administrative TemplatesSystemAudit Process CreationInclude command line in process creation events in group policy.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |