Event ID 4688 not showing anything, but 4696 does - TechRepublic
TechRepublic | Forums | Security
Security
Question
November 6, 2022 at 09:30 PM
#4006185
x9753.x9753

Event ID 4688 not showing anything, but 4696 does

by x9753.x9753 . Updated 3 years, 5 months ago
Operating Systems Security Windows

Hi,

I have turned on Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit Process Creation = Success.

And according to this :

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation I should get both event 4688 and event 4696. But I only get logs for 4696. And they don’t show all of the programs that were started.

Also I implemented MS Security Baseline for Win 11 22H2 from here:

https://www.microsoft.com/en-us/download/details.aspx?id=55319

What else do I have to enable to get event 4688 ?

All Comments