Question
-
CreatorTopic
-
November 6, 2022 at 9:30 pm #4006185
Event ID 4688 not showing anything, but 4696 does
by x9753.x9753 · about 2 years, 3 months ago
Tags: Operating Systems, Security, Windows
Hi,
I have turned on Local Security Policy: Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit Process Creation = Success.
And according to this :
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation I should get both event 4688 and event 4696. But I only get logs for 4696. And they don’t show all of the programs that were started.
Also I implemented MS Security Baseline for Win 11 22H2 from here:
https://www.microsoft.com/en-us/download/details.aspx?id=55319
What else do I have to enable to get event 4688 ?
-
CreatorTopic
All Answers
-
AuthorReplies
-
-
November 6, 2022 at 9:29 pm #4006212
Time to call it in.
by rproffitt · about 2 years, 3 months ago
In reply to Event ID 4688 not showing anything, but 4696 does
This could be one of the numerous Windows 11 bugs. This doesn’t appear fixable except by Microsoft.
-
December 13, 2022 at 6:09 am #4013327
Reply To: Event ID 4688 not showing anything, but 4696 does
by Johnharper2020 · about 2 years, 2 months ago
In reply to Event ID 4688 not showing anything, but 4696 does
This seems to be a bug in 22H2. Instead, you’ll find a vast number of Event ID 1108 Auditing entries. As of now, there is no fix (to my knowledge.) However, please post this in the IT Pro forum as well.
Hope this helps,
John -
December 30, 2022 at 2:28 am #4017365
Reply To: Event ID 4688 not showing anything, but 4696 does
by Johnharper2020 · about 2 years, 1 month ago
In reply to Event ID 4688 not showing anything, but 4696 does
You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking.
-
-
AuthorReplies