Unable to View Process Command Line for Event 4688 in Windows Server

Sridhar Anbazhagan 0 Reputation points
2024-11-13T12:25:58.2766667+00:00

There is an issue viewing the process command line in Process Information in Event Properties for Event 4688 in Windows Server, even after enabling the following settings in the local group policy:

  1. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation.
  2. Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking > Audit Process Creation.

What additional settings or services need to be enabled to see the process command line in Process Information for Event 4688 in Windows Server?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,852 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,549 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,490 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
445 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,876 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 27,026 Reputation points Microsoft Vendor
    2024-11-14T11:50:58.0433333+00:00

    Hello Sridhar Anbazhagan,

    Thank you for posting in Q&A forum.

    I think the settings you mentioned are correct. Because it is computer configuration, you should link the GPO with settings above to an OU with domain computer objects, not the domain user objects.
    And this event generates every time a new process starts.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.