Channels:

Microsoft-Windows-Shell-Core/Operational.
Events: 9705, 9707, 9708.

Security.
Event: 4657.

Overview

A number of registry keys, known as Auto-Start Extensibility Points (ASEP) registry keys, are run whenever the system is booted or a specific user logs in.

Events are generated for tasks executed through the Run / RunOnce registry keys, in the Microsoft-Windows-Shell-Core/Operational channel. Additionally, events can be generated for modification of registry keys, but requires non-default audit settings and the configuration of System Access Control List (SACL) on the registry keys to audit.

For more information on registry ASEP keys, refer to the Registry - Auto-Start Extensibility Points page.

Registry ASEP execution events

Channel Conditions Events
Microsoft-Windows-Shell-Core/Operational Default configuration.

Introduced in Windows 10 and Windows Server 2016.
Event 9707: Started execution of command '<COMMAND>'.

Logged whenever a task is executed through the Run / RunOnce registry keys.

Information of interest:
- Domain and username of the user for whom the task executed.
- Command line of the task (with only the program filename and not its full path, even if the full path is specified in the registry).
Microsoft-Windows-Shell-Core/Operational Default configuration.

Introduced in Windows 10 and Windows Server 2016.
Event 9708: Finished execution of command '<COMMAND>' (PID <PROCESS_ID>).

Logged whenever a task executed through the Run / RunOnce registry keys finishes execution.

Information of interest:
- Domain and username of the user for whom the task executed.
- Command line of the task (with only the program filename and not its full path, even if the full path is specified in the registry).
- Process ID of the task process.
Microsoft-Windows-Shell-Core/Operational Default configuration.

Introduced in Windows 10 and Windows Server 2016.
Event 9705: Started enumeration of commands for registry key '<Software\Microsoft\Windows\CurrentVersion\Run | Software\Microsoft\Windows\CurrentVersion\RunOnce>'.

Logged whenever the system enumerates the configured Run or RunOnce registry key’s tasks, before their execution.

Information of interest:
- Domain and username of the user for whom the enumeration was performed.

Registry ASEP defintion events

Channel Conditions Events
Security Requires:

- Audit: Force audit policy subcategory settings to be enabled.

- Audit object access set to Success(, Failure).

- The System Access Control List (SACL) on the ASEP registry keys to define audit on the rights Create Subkey, Set Value, Create Link, Write DAC, and Delete for the user conducting the action (possibly through identity / group membership, such as, for example, Everyone).

-> very likely not logged.
Event 4657: A registry value was modified.

Logged whenever a user modify a registry key for which the audit policy is set to audit usage of the Set Value rights (by the user).

Information of interest:
- Domain, username, and LogonID of the user conducting the modification.
- The registry key modified and the new value defined.

References



View on GitHub