{"id":248,"date":"2016-06-05T22:44:46","date_gmt":"2016-06-05T22:44:46","guid":{"rendered":"http:\/\/eventlogxp.com\/blog\/?p=248"},"modified":"2019-11-06T11:24:10","modified_gmt":"2019-11-06T11:24:10","slug":"process-tracking-with-event-log-explorer","status":"publish","type":"post","link":"https:\/\/eventlogxp.com\/blog\/process-tracking-with-event-log-explorer\/","title":{"rendered":"Process tracking with Event Log Explorer"},"content":{"rendered":"

When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use Advanced Audit Policy Configuration -> System Audit Policy -> Detailed Tracking. After enabling process auditing, Windows will register the following events in Security log:<\/p>\n

4688 – A new process has been created.
\n4689 – A process has exited.<\/p><\/blockquote>\n

Let’s check what events generated when we run an application. I will run Event Log Explorer (elex.exe) for test.\u00a0Running this application generates a number of events. First, as expected, event 4688 was registered in Security log:<\/p>\n

A new process has been created.\r\nSubject:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-5-21-1388294503-2733603710-2753204785-1000\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0     Michael\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0MIKE-HP\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 000332DD\r\n\r\nProcess Information:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 New Process ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00000254C\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 New Process Name:\u00a0\u00a0\u00a0\u00a0\u00a0        C:\\Program Files (x86)\\Event Log Explorer\\elex.exe\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Token Elevation Type:\u00a0\u00a0       TokenElevationTypeLimited (3)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Creator Process ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0     00001010\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process Command Line:\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.\u00a0 A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.\u00a0 An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.\u00a0 An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.\u00a0 The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.<\/pre>\n
However, the next event (event id 4689) shows that this process has exit immediately:<\/p>\n
A process has exited.\r\n\r\nSubject:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 S-1-5-21-1388294503-2733603710-2753204785-1000\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Michael\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Account Domain:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MIKE-HP\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Logon ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 000332DD\r\n\r\nProcess Information:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process ID:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0         0000254C\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Process Name:\u00a0            C:\\Program Files (x86)\\Event Log Explorer\\elex.exe\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exit Status:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0       C000042C<\/pre>\n
Let’s explore fields in the event descriptions. Subject group is quite clear. Just pay attention to Logon ID \u2013 using this ID you can link these events with event 4624 (account logon, New Logon\\Logon ID). Process Information group is more interesting for process tracking.<\/p>\n
New Process ID<\/strong> (Process ID for 4689 event) defines the ID of Windows process (created or terminated). Note that it is in hexadecimal format, so you need to match with process IDs in Task Manager or other programs, you need to convert it into decimal value.<\/p>\n
New Process Name<\/strong> (Process Name) the full path to the executable.<\/p>\n
Token Elevation Type<\/strong> defines how the process runs under UAC (User Account Control). Token Elevation Types are described in the event description. “1” means that UAC is disabled (set to Never Notify) or your run the program from Administrator account or a service account (e.g. when system services start, they will register 4688 event with elevation type = 1). “2” means that the user ran the process elevated. This happens when the program manifests itself to run elevated or the user explicitly ran the program using Run as Administrator option. “3” means that the process has been ran without elevation.<\/p>\n
Creator Process ID<\/strong> defines a process ID of the process that started this new process. Note that it is in hexadecimal format as well as New Process ID.<\/p>\n
Process Command Line<\/strong> defines a command line used to start the process. It includes the full path to the executable along with command line parameters. By default, Process Command Line is empty (because it may contains sensitive data like passwords). To enable command line logging you should enable policy “Include command line in process creation events”. This policy is available at Administrative Templates -> System -> Audit Process Creation.<\/p>\n
Exist status<\/strong> (in event 4689) \u2013 the process exit code. Zero value commonly means that the process has exited normally.<\/p>\n
In my example we can see that elex.exe has been terminated immediately after start with exit code C000042C. This code indicates that the process required elevation. Why this happens. The program (elex.exe) is designed to run elevated. When I started it by clicking on its icon, Windows tried to run it first and only then detected the program requires elevation. That’s why it terminated current instance.<\/p>\n
What’s next? The next event is 4688 and Windows starts consent.exe process. This program\u00a0displays Window UAC dialog and prompts the user for permissions to run our program\u00a0elevated. Then (if the user accepts elevation) Windows starts dllhost.exe process (event 4688) to provide running COM+ components, terminates consent.exe (event 4689) and at last starts elex.exe (event 4688 with Token Elevation Type = 2). This means that we can ignore processes that terminated immediately with exist status of C000042C and\u00a0when tracking the processes, I would recommend to exclude the helper processes like consent.exe, dllhost.exe, conhost.exe, svchost.exe, taskhost.exe.<\/p>\n
If I start the program \u00a0using “Run as administrator” option, Windows will not\u00a0register first run\/exit events, but register all the\u00a0rest events (consent, dllhost, and elevated elex.exe).<\/p>\n
Let’s practice<\/h3>\n
First we should filter Security log by event id = 4688, 4689. I will use Log Loading filter \u2013 but you can use general filter instead.<\/p>\n
\"process-tracking-filter-4688-4689\"<\/a><\/p>\n
Now we can display process name (path to the executable) in the list as custom columns. I will add 2 custom columns \u2013 Process started and Process Terminated.<\/p>\n
\"process-tracking-custom-column\"<\/a><\/p>\n
Let’s remove helper processes from the list. We can filter by description parameters:<\/p>\n
 Process Information\\Process Name\u00a0 does not contain host.exe\r\n Process Information\\New Process Name\u00a0 does not contain host.exe\r\n Process Information\\Process Name\u00a0 does not contain consent.exe\r\n Process Information\\New Process Name\u00a0 does not contain consent.exe<\/pre>\n
\"process-tracking-filter-helper\"<\/a><\/p>\n
Now we can see the result:<\/p>\n
\"process-tracking-result\"<\/a><\/p>\n
Windows 10<\/h3>\n
Windows 10 (and forthcoming Windows 2016) comes with modified details of event 4688. The most significant addition is that the event description contains Creator Process Name field. It defines the name of the process that started this new process.<\/p>\n\"Facebook\"<\/a>\"twitter\"<\/a>\"reddit\"<\/a>\"pinterest\"<\/a>\"linkedin\"<\/a>\"mail\"<\/a>","protected":false},"excerpt":{"rendered":"
When performing forensic analysis or system audit activities, you may want to track what programs ran on the investigated computers. Windows security auditing lets you enable process tracking and monitor process creation and process termination. To enable process auditing you should use Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc). You should configure Security Settings -> Audit Policy -> Audit Process Tracking or use\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":254,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[40,2],"tags":[5,51,19,21,30,49,4,15],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/248"}],"collection":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/comments?post=248"}],"version-history":[{"count":2,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/248\/revisions"}],"predecessor-version":[{"id":255,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/posts\/248\/revisions\/255"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media\/254"}],"wp:attachment":[{"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/media?parent=248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/categories?post=248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eventlogxp.com\/blog\/wp-json\/wp\/v2\/tags?post=248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}