Chris Corio's Blog : auditing, software restriction policieshttp://blog.chriscorio.com/archive/tags/auditing/software+restriction+policies/default.aspxTags: auditing, software restriction policiesenCommunityServer 2008 SP1 (Build: 30619.63)What’s running on my system? - Part 1http://blog.chriscorio.com/archive/2008/09/27/what-s-running-on-my-system-part-1.aspxSun, 28 Sep 2008 03:03:00 GMT95eed723-5cf3-470f-8f7c-049fae03e114:11Chris Corio0http://blog.chriscorio.com/rsscomments.aspx?PostID=11http://blog.chriscorio.com/archive/2008/09/27/what-s-running-on-my-system-part-1.aspx#comments<p>I don&#39;t know about you but I&#39;m interested in figuring out what applications I&#39;m using and what else might be running on my system.&nbsp; I&#39;m going to describe ways to figure that out in a series of blog posts.&nbsp; </p> <p>&nbsp;</p> <p>The first way is to turn on Process Auditing on your system and checkwhat processes are created in your audit log.&nbsp; Here&#39;s how you turn on process auditing:</p> <p>1. Start MMC.exe with full administrator privileges.</p> <p>2. From the <b>File</b> menu choose <b>Add/Remove Snap-in...</b></p> <p>3. Click on Group Policy Object Editor and then click Add. </p> <ul> <li>You will be prompted to determine which Group Policy Object to edit - Local Computer should be highlighted. Keep that setting and press Finish.</li> </ul> <p>4. Click on the OK button.</p> <p>5. Now you will see a node for Local Computer Policy</p> <ul> <li>Expand the <b>Local Computer Policy</b></li> <li>Then expand <b>Computer Configuration-&gt;Windows Settings-&gt;Security Settings-&gt;Local Policies</b>.</li> <li>Click on Audit Policy. You should see the following screen.</li> </ul> <p>&nbsp;<img width="628" src="http://www.chriscorio.com/ScreenShots/MMC-AuditPolicy.jpg" alt="MMC - Audit Policy" height="461" style="float:left;" /></p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>&nbsp;</p> <p>6. Double-click on &quot;Audit process tracking&quot; and check the &quot;Success&quot; check box<b>. </b>It will look like this when you hit OK:</p> <p><img width="352" src="http://www.chriscorio.com/ScreenShots/MMC-AuditProcessSetting.jpg" alt="Process Audit Setting" height="78" /></p> <p>&nbsp;</p> <p>7. Now the creation of processes will be tracked by the system. Time to reboot.</p> <p>&nbsp;</p> <p>After the system restarts it&#39;s time to figure out what&#39;s running.&nbsp; </p> <ol> <li>Open the Event Viewer - you can do this by following the steps above but adding in the <b>Event Viewer </b>snap-in to MMC instead of the Group Policy Object Editor.</li> <li>Expand the following nodes: <b>Event Viewer-&gt;Windows Logs </b>and clicking on <b>Security</b></li> <li>Then click on &quot;Filter Current Log...&quot; in the upper right-hand corner of the Event Viewer snap-in.</li> <li>The Event ID that&#39;s most interesting for this exercise is: 4688, so add this to the filter and click OK.</li> <li>Now you will see a list of all of the processes that have been created.&nbsp;:-) The interesting piece of information is usually the <b>NewProcessName </b>element in each entry.</li> </ol> <p>Well...that&#39;s a great way to understand how your system boots and what processes have been created.&nbsp; Check out the next post where I&#39;ll talk about monitoring what&#39;s being started by each user.</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blog.chriscorio.com/aggbug.aspx?PostID=11" width="1" height="1">Software Restriction PoliciesAuditingWindows OSProcess