Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

Audit Process Creation is an advanced Audit Policy setting which, when enabled, can help track the processes that are created or started on the system. Once this setting is enabled, the Windows Event Viewer will generate an event every time a process starts.

Why should you audit process creations?

Regularly auditing the processes on your network helps detect any malicious processes that might be running on your system. For example, a user might inadvertently download a malware, that in turn creates several processes. If Audit Process Creation is enabled, it should enable you to detect these processes. Once they are detected, you can take remedial action.

How to enable Audit Process Creation?

  • Open Server Manager on your Windows server.
  • Under the Manage tab, select Group Policy Management to view the Group Policy Management Console.
  • Navigate to Forest > Domain > Your Domain > Domain Controllers.
  • Either create a new group policy object or you can edit an existing GPO.
  • In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
Once Audit Process Creation is enabled, it will record the following event IDs:
  • 4688: A new process has been created.
  • 4696: A primary token has been assigned to the process.

Audit Process Creation with ADAudit Plus

ADAudit Plus is an Active Directory auditing tool that can track and report on various network entities, such as users, servers, workstations and so on. It also has a separate section on server audit, where there are reports on user logons, file integrity monitoring and process tracking. These reports can help an admin keep the servers on the network secure. Here is a sample report from ADAudit Plus on Audit Process Creation:

This report gives information on the name of the process, the system where the process runs, the time stamp, the user who created the process and so on. Regularly checking this report can ensure that only legitimate processes are running on the server and any suspicious process can be immediately detected. This report can be accessed by navigating to Server Audit > Process Tracking > New Process Created.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory change reporting software that audits, tracks, reports and alerts on workstations logon/logoff, file servers, domain controllers, attribute modifications, and process creations to help meet the demands of the much-needed security, audit and compliance. With ADAudit Plus, track authorized/unauthorized AD management changes, access of users, GPO, groups, computer, OU. Track every process, file, folder modifications, access and permissions changes with 200+ detailed event-specific reports and get instant email alerts. You can also export the results to XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics. For more information on ADAudit Plus, visit https://www.manageengine.com/active-directory-audit/

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote