Enable Audit Process Creation¶

Follow these steps to turn on detailed auditing of every process that is created on a Windows system.

Via Command-Line (no reboot)¶

'''powershell

Enables Success auditing for process creation¶

auditpol /set /subcategory:"Process Creation" /success:enable '''

Via Local Group Policy Editor¶

Using the Local Group Policy Editor

Run gpedit.msc.
Navigate to:

Computer Configuration
└─ Windows Settings
   └─ Security Settings
      └─ Advanced Audit Policy Configuration
         └─ Audit Policies
            └─ Detailed Tracking

3. Double-click Audit Process Creation, check Success, and click OK.

Verify It’s On¶

'''powershell auditpol /get /subcategory:"Process Creation"

Expected output:¶

Process Creation Success Enabled¶

'''

Install Sysmon with ImageLoad & ProcessCreate¶

Sysmon extends Windows auditing by logging detailed process and DLL load events.

1. Download Sysmon¶

Obtain the latest Sysmon binaries from Microsoft Sysinternals:

:System link: https://docs.microsoft.com/sysinternals/downloads/sysmon

2. Create a Minimal XML Configuration¶

Save the following as sysmon-config.xml:

'''xml '''

3. Install or Update Sysmon¶

From an elevated PowerShell prompt in the folder containing sysmon64.exe and your sysmon-config.xml:

'''powershell

First install¶

.\sysmon64.exe -i sysmon-config.xml

To update an existing installation¶

.\sysmon64.exe -c sysmon-config.xml '''

4. Confirm Sysmon Is Logging¶

Check the Event Viewer

Open Event Viewer and browse to:

Applications and Services Logs
└─ Microsoft
   └─ Windows
      └─ Sysmon
         └─ Operational

You should see: - Event ID 1 — Process creation
- Event ID 6 — Image load