4688 – A new process has been created.
4689 – A process has exited.
这是一个事件(流程创建)的示例:
A new process has been created.
Subject:
Security ID: S-1-5-21-1388294503-2733603710-2753204785-1000
Account Name: Administrator
Account Domain: HACKEM
Logon ID: 000332DD
Process Information:
New Process ID: 0000254C
New Process Name: C:\Program Files (x86)\Jitsi\Jitsi.exe
Token Elevation Type: TokenElevationTypeLimited (3)
Creator Process ID: 00001010
Process Command Line:
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
您必须在 Windows 实例中启用进程审核,您可以使用组策略编辑器 (
gpedit.msc
) 或本地安全策略 (secpol.msc
)。您应该配置安全设置 --> 审计策略 --> 审计进程跟踪或使用高级审计策略配置 --> 系统审计策略 --> 详细跟踪。
启用进程审核后,Windows 将在安全日志中记录以下事件:
这是一个事件(流程创建)的示例:
包括事件日志的屏幕截图: