I was following this guide on adding command line logging to my GPO. I verified that the current GPO has these settings. You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking. You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer Configuration\Administrative Templates\System\Audit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ ProcessCreationIncludeCmdLine_Enabled registry key value to 1. Here is what I did to test, I simply created a directory, deleted it, also ran ipconfig, net share and was unable to find those commands expect for ipconfig in the logs. Is there anything else I need to do maybe in the input.conf file? EDIT: Seems like mkdir and rmdir do not show up in the logs but all others do. Does anyone know why?
... View more