Recommended Posts

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

  On 12/10/2023 at 17:59, KaoDome said:

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

Expand  

How familiar are you with Powershell? We utilize powershell to interpret the event log on our domain controllers to fire off emails to our admin team when users get created or deleted in the domain (among many many other things).

Depending on how you want to filter your event log, you could do something like this:

get-eventlog -logname security -instanceid 4688 | where {$_.message -match 'yourmatchstring'}

Then once you have the data you want, you can either dump it into a CSV or text doc or something on your pc. If you wanted it to run when an event is generated, then parse the event that is generated for relevant information before dumping it, you can utilize the task scheduler.

 

If you give me some more information about what you're trying to parse from those events we can work on putting together the relevant powershell script + task schedule.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Mullvad Browser 14.5.4 by Razvan Serea The Mullvad Browser is a privacy-focused web browser developed in a collaboration between Mullvad VPN and the Tor Project. It’s designed to minimize tracking and fingerprinting. You could say it’s a Tor Browser to use without the Tor Network. Instead, you can use it with a trustworthy VPN. The idea is to provide one more alternative – beside the Tor Network – to browse the internet with more privacy. To get as many people as possible to fight the big data gathering of today. To free the internet from mass surveillance. The Mullvad browser is free of charge, open source, and can be used without Mullvad VPN (although the combination is recommended). It is supported across platforms (Windows, MacOS, Linux). Privacy quality of the Tor Browser. To use with a VPN - Using a VPN is not enough to achieve perfect privacy online. There’s simply too much data being extracted through most browsers. The Mullvad Browser is a web browser with the privacy quality of the Tor Browser, to be used with a trustworthy VPN. Strong anti-fingerprinting from the Tor Project - The Tor Project has a proven track record of building a privacy-focused browser. The Mullvad Browser has the same fingerprinting protection as the Tor Browser – it just connects to the internet with (or without) a VPN instead of the Tor Network. No telemetry - Telemetry refers to unique data collected by the browser to enhance its performance. Mullvad does not support the collection of user data. Therefore, with the Mullvad Browser, all telemetry has been removed. Privacy first - Mullvad VPN has a proven record of putting privacy first. With no strange business models or short-term venture capitalist owners. The Tor Project is a non-profit organization fighting for human rights. Mullvad Browser 14.5.4 changelog: All Platforms Updated Firefox to 128.12.0esr Updated NoScript to 13.0.8 Bug 450: Rebase Mullvad Browser stable onto 128.12.0esr [mullvad-browser] Bug 43782: Add new UX flow for changing security level (Desktop) [tor-browser] Bug 43783: Tighten up the SecurityLevel module to enforce new UX flow [tor-browser] Bug 43784: Get confirmation from NoScript that settings are applied [tor-browser] Bug 43911: Backport security fixes from Firefox 140 [tor-browser] Build System / All Platforms Bug 41477: Update keyring/boklm.gpg for new subkeys (2025) [tor-browser-build] Bug 41498: Update keyring/morgan.gpg with updated public key [tor-browser-build] Download: Mullvad Browser 14.5 | 90.6 MB (Open Source) View: Mullvad Browser Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • "To address the immediate privacy alarms this sets off, Meta says that its "Private Processing technology" will be used. This supposedly ensures that neither Meta nor WhatsApp can see your original messages or the private summaries the AI generates." Meta also says "Your privacy and safety are of utmost importance to us." This is also a lie. You know how you can make social media easier to manage? Get a life, and you'll no longer need it.
  • Recent Achievements

    • First Post
      solidox earned a badge
      First Post
    • First Post
      BA the Curmudgeon earned a badge
      First Post
    • One Year In
      blissa jayden earned a badge
      One Year In
    • One Month Later
      blissa jayden earned a badge
      One Month Later
    • Week One Done
      blissa jayden earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      565
    2. 2
      ATLien_0
      213
    3. 3
      +FloatingFatMan
      173
    4. 4
      Michael Scrip
      153
    5. 5
      Som
      151
  • Tell a friend

    Love Neowin? Tell a friend!