Recommended Posts

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

  On 12/10/2023 at 17:59, KaoDome said:

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

Expand  

How familiar are you with Powershell? We utilize powershell to interpret the event log on our domain controllers to fire off emails to our admin team when users get created or deleted in the domain (among many many other things).

Depending on how you want to filter your event log, you could do something like this:

get-eventlog -logname security -instanceid 4688 | where {$_.message -match 'yourmatchstring'}

Then once you have the data you want, you can either dump it into a CSV or text doc or something on your pc. If you wanted it to run when an event is generated, then parse the event that is generated for relevant information before dumping it, you can utilize the task scheduler.

 

If you give me some more information about what you're trying to parse from those events we can work on putting together the relevant powershell script + task schedule.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • I am forced to use Windows for two reasons. The Adobe package does not run on Linux and I do not have enough money to buy an Apple M3 or M4. Otherwise I would have abandoned Windows a long time ago. I use Linuxmint on a virtual machine and it is clear how fast it is compared to the rigid Windows. We have had multi-core processors for a long time but they do not exist for Windows. They only think about useless things shoved down the customers' throats.
    • Yeah what can you expect in the first 4 years?? Where on your body is the Zune tattoo?
    • Microsoft still tries really hard to convince people about Windows 11. It does not realize, the harder it tries the more people hate it. And it is not people's fault. It is MS that tries violently to own your computing environment without your consent. Cheers MS!
    • I've got a basic black and white laser printer that's connected via USB and doesn't do wifi etc. I think I'm going to be just fine.
    • Edge 138 is out with AI-powered history search and other changes by Taras Buria Microsoft has released Edge 138, the latest major update for the browser. Version 138.0.3351.55 introduces some interesting changes and new features, such as AI-powered history search. There are also several bug fixes and security patches. For regular users, the biggest and most important change in Edge 138 is AI-powered history search. This feature allows you to find sites in your history using synonyms, phrases, or misspelled words. Microsoft uses an on-device model, which does not send your data anywhere. Note that this feature is rolling out gradually, which means it might take a few days or weeks to show up on your system. Another useful change is new performance notifications. Performance and Extensions Detector notifications may appear in the main menu when the browser detects performance dips to help users learn about available performance-optimization tools. Autofill settings received a new consent toggle, which allows Microsoft to improve the autofill capabilities by collecting field names as you browse. This only applies to field names, such as "First Name, "Email," etc. It does not send the data you enter or autofill to Microsoft. Other changes include the following: Use the Primary work profile as the default profile to open external links. With this feature, for Windows, Edge checks if the Primary Work Profile exists and makes it the default profile for opening external links if available. Microsoft 365 Copilot Chat Summarization in Microsoft Edge Context Menu. This feature helps users quickly unpack and ask questions about their open page. Copilot on the Microsoft Edge New Tab Page (NTP). Users may see suggested work and productivity-related Copilot prompts in their search box on the NTP page. Adding support for viewing Sensitivity labels applied to a Microsoft Information Protection (MIP) Protected PDF. Enterprise customers can view sensitivity labels applied to MIP protected PDF to be well informed of the data classification to enable them to handle such sensitive documents. And here is what was fixed: Fixed an issue that caused WebDriver automation to fail in Microsoft Edge versions 133 and later. Fixed an issue where re-enabled textarea elements remained non-editable. This issue affected activating a role assignment in Privileged Identity Management. Finally, Edge 138 patches six security vulnerabilities, three of which were Microsoft Edge-specific, and the remaining three originated from Chromium. You can find details about those fixes here. The next Microsoft Edge update, version 139, is expected in the week of August 7, 2025.
  • Recent Achievements

    • Week One Done
      suprememobiles earned a badge
      Week One Done
    • Week One Done
      Marites earned a badge
      Week One Done
    • One Year In
      runge100 earned a badge
      One Year In
    • One Month Later
      runge100 earned a badge
      One Month Later
    • One Month Later
      jfam earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      564
    2. 2
      +FloatingFatMan
      177
    3. 3
      ATLien_0
      168
    4. 4
      Michael Scrip
      123
    5. 5
      Xenon
      122
  • Tell a friend

    Love Neowin? Tell a friend!