I don't know about you but I'm interested in figuring out what applications I'm using and what else might be running on my system. I'm going to describe ways to figure that out in a series of blog posts.
The first way is to turn on Process Auditing on your system and checkwhat processes are created in your audit log. Here's how you turn on process auditing:
1. Start MMC.exe with full administrator privileges.
2. From the File menu choose Add/Remove Snap-in...
3. Click on Group Policy Object Editor and then click Add.
- You will be prompted to determine which Group Policy Object to edit - Local Computer should be highlighted. Keep that setting and press Finish.
4. Click on the OK button.
5. Now you will see a node for Local Computer Policy
- Expand the Local Computer Policy
- Then expand Computer Configuration->Windows Settings->Security Settings->Local Policies.
- Click on Audit Policy. You should see the following screen.
6. Double-click on "Audit process tracking" and check the "Success" check box. It will look like this when you hit OK:
7. Now the creation of processes will be tracked by the system. Time to reboot.
After the system restarts it's time to figure out what's running.
- Open the Event Viewer - you can do this by following the steps above but adding in the Event Viewer snap-in to MMC instead of the Group Policy Object Editor.
- Expand the following nodes: Event Viewer->Windows Logs and clicking on Security
- Then click on "Filter Current Log..." in the upper right-hand corner of the Event Viewer snap-in.
- The Event ID that's most interesting for this exercise is: 4688, so add this to the filter and click OK.
- Now you will see a list of all of the processes that have been created. :-) The interesting piece of information is usually the NewProcessName element in each entry.
Well...that's a great way to understand how your system boots and what processes have been created. Check out the next post where I'll talk about monitoring what's being started by each user.
Posted
Sep 27 2008, 08:03 PM
by
Chris Corio