Information
This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created.
The recommended state for this setting is: Enabled
Note: This feature that this setting controls was not originally supported in workstation OSes older than Windows 8.1. However, in February 2015 Microsoft added support for the feature to Windows 7 and Windows 8.0 via an update -
KB3004375
. Therefore, this setting is also important to set on those older OSes.
Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled :
Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation\Include command line in process creation events
Note: This Group Policy path is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Impact:
Process command line information will be included in the event logs, which can contain sensitive or private information such as passwords or user data.
Warning: There are potential risks of capturing credentials and sensitive information which could be exposed to users who have read-access to event logs. Microsoft provides a feature called 'Protected Event Logging' to better secure event log data. For assistance with protecting event logging, visit:
About Logging Windows - PowerShell | Microsoft Docs
.