The Windows Security Log Revealed

Chapter 6
Detailed Tracking Events

The Detailed Tracking category, which corresponds to the Audit process tracking events policy setting, contains a number of subcategories listed in the chart below. However, the category’s primary purpose is to give you the ability to track programs that are executed on the system and to link those process events to logon sessions that are reported by Logon/Logoff events (discussed in Chapter 5) and to file access events that are generated by the Object Access category (discussed in Chapter 7).

Subcategories

Comment

Process Creation

New or child process

Process Termination

Process ending

DPAPI Activity

Data Protection API

RPC Events

Remote Procedure Call

For instance, you can use Detailed Tracking events to determine that Joe opened Excel as shown in the diagram below. By linking Detailed Tracking events to Logon/Logoff events, you can further show that Joe opened Excel during a Remote Desktop logon; by linking Detailed Tracking events to Object Access events, you can document that Joe used Excel to open and modify the file C:\files\payroll.xls.

Detailed Tracking also provides event IDs for monitoring the installation and removal of services and the maintenance of scheduled tasks. These events are handled by the Process Creation and Process Termination subcategories. The other two subcategories, DPAPI Activity and RPC Events, provide coverage of activity in the Data Protection Application Programming Interface (DPAPI) and events that relate to Remote Procedure Calls (RPCs), which we’ll discuss briefly later in this chapter.

Process Creation

The Process Creation subcategory provides just two event IDs. When a system process or a user opens an executable, Windows creates a process in which that executable runs and logs event ID 4688, which identifies the executable and the account that started the process.

Event ID

Title

4688

A new process has been created

4696

A primary token was assigned to process

Event ID 4688 contains a New Process Name description field, which identifies the full pathname of the executable that was started. For instance, if a user opens WordPad, the event will show something similar to C:\Program Files\Windows NT\Accessories\wordpad.exe as the image filename.

To uniquely identify each process during a system boot session, Windows uses a Process ID, which you might have noticed when viewing the Task Manager Processes tab. Event ID 4688 lists the ID of a new process in the New Process ID description field and lists the ID of the process that created the new process in the Creator Process ID description field. The Creator Process ID gives you more information about why and how the program was started. For instance, programs that users open from the Start Menu will list the creator process as the current ID of Explorer—the Windows desktop. Processes that start as system services will list the ID of the service control manager as the Creator Process ID.

Token Elevation Type is a new feature in the Windows Server 2008 and later. In Windows Server 2008 and later, User Account Control (UAC) is installed and enabled by default. UAC separates the standard users credentials from administrator credentials. Security is enhanced because the least privilege principle is used. Many tasks don’t require full administrator privileges. So UAC places 10 Security Options under the Local Security Policy. These options control if and when the token privilege is elevated. When a process is created, event ID 4688 will indicate which Token Elevation Type is in effect.

Token Elevation Type

Description

1

Default (full token as if no UAC)

2

Elevated (token with increased privilege)

3

Limited (token with decreased privilege)

In previous Windows versions, Type 1 (Default) was the only option. You might get tired of the extra Token Elevation Type description text that Microsoft now puts into these events, especially if you’re saving event logs in text format. The XML portion (as described in Chapter 2) does not contain this text.

You might see the other Process Creation event—event ID 4696 (A primary token was assigned to process)—when a service or a scheduled task starts under a different user’s authority. This event has little value; the important information is found in the other events.

Process Termination

When a process terminates, Windows logs event ID 4689. Event ID 4689 also lists the Process ID field in its description, so you can link an instance of that event to the corresponding instance of event ID 4688 and thus determine not just when a program started but when it stopped as well.

Event ID

Title

4689

A process has exited

Linking Detailed Tracking Events with Logon/Logoff Events

You’ll find process IDs in many other security events, giving you the ability to determine the program and person that generated the event. To determine the logon session during which a process started, look at the Logon ID description field in event ID 4688, then find the preceding event ID 4624 instance that has the same Logon ID. Check the Logon Type and Logon Process fields to determine whether the process was started during an interactive or Remote Desktop session (or some other type of logon session).

DPAPI Activity

The DPAPI Activity subcategory reports activity concerning the DPAPI. Per Microsoft: "The Data Protection API (DPAPI) helps to protect data in Windows 2000 and later operating systems. DPAPI is used to help protect private keys, stored credentials (in Windows XP and later), and other confidential information that the operating system or a program wants to keep confidential." We haven’t see a lot of the events in this subcategory, but examining a system that has been under attack might reveal them. Event ID 4695 might indicate an attack, although you’ll also see this event during normal activity. It could mean that a users password was changed and attempts to decrypt with the new password failed. You will see this event if another user attempts to decrypt information. You can find a more detailed description of these events at www.ultimatewindowssecurity.com.

Event ID

Title

4692

Backup of data protection master key was attempted.

4693

Recovery of data protection master key was attempted.

4694

Protection of auditable protected data was attempted.

4695

Unprotection of auditable protected data was attempted.

RPC Events

According to the Windows manifest, the RPC Events subcategory logs events that relate to RPC activity. However, at the time of this writing, we have not observed either of these events.

Event ID

Title

4816

RPC detected an integrity violation while decrypting an incoming message.

5712

A Remote Procedure Call (RPC) was attempted.

Bottom Line

Detailed Tracking events can be effective auditing tools, especially for forensic purposes. These events give you a full audit trail of every program executed on a given computer. You might have noticed that some events, such as scheduled task tracking events and events having to do with object handles, are no longer listed under this category. Microsoft has moved these events to the Object Access category.

Next Chapter

Back to top

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

 

Upcoming Webinars
    Additional Resources