Channels:
Microsoft-Windows-Shell-Core/Operational.
Events: 9705, 9707, 9708.
Security.
Event: 4657.
Microsoft-Windows-Shell-Core/Operational.
Events: 9705, 9707, 9708.
Security.
Event: 4657.
Overview
A number of registry keys, known as Auto-Start Extensibility Points (ASEP)
registry keys, are run whenever the system is booted or a specific user logs
in.
Events are generated for tasks executed through the Run/RunOnce registry
keys, in the Microsoft-Windows-Shell-Core/Operational channel. Additionally,
events can be generated for modification of registry keys, but requires
non-default audit settings and the configuration of
System Access Control List (SACL) on the registry keys to audit.
For more information on registry ASEP keys, refer to the
Registry - Auto-Start Extensibility Points page.
Registry ASEP execution events
| Channel | Conditions | Events |
|---|---|---|
Microsoft-Windows-Shell-Core/Operational |
Default configuration. Introduced in Windows 10 and Windows Server 2016. |
Event 9707: Started execution of command '<COMMAND>'. Logged whenever a task is executed through the Run/RunOnce registry keys. Information of interest: - Domain and username of the user for whom the task executed. - Command line of the task (with only the program filename and not its full path, even if the full path is specified in the registry). |
Microsoft-Windows-Shell-Core/Operational |
Default configuration. Introduced in Windows 10 and Windows Server 2016. |
Event 9708: Finished execution of command '<COMMAND>' (PID <PROCESS_ID>). Logged whenever a task executed through the Run/RunOnce registry keys finishes execution. Information of interest: - Domain and username of the user for whom the task executed. - Command line of the task (with only the program filename and not its full path, even if the full path is specified in the registry). - Process ID of the task process. |
Microsoft-Windows-Shell-Core/Operational |
Default configuration. Introduced in Windows 10 and Windows Server 2016. |
Event 9705: Started enumeration of commands for registry key '<Software\Microsoft\Windows\CurrentVersion\Run | Software\Microsoft\Windows\CurrentVersion\RunOnce>'. Logged whenever the system enumerates the configured Run or RunOnce registry key’s tasks, before their execution. Information of interest: - Domain and username of the user for whom the enumeration was performed. |
Registry ASEP defintion events
| Channel | Conditions | Events |
|---|---|---|
Security |
Requires: - Audit: Force audit policy subcategory settings to be enabled. - Audit object access set to Success(, Failure). - The System Access Control List (SACL) on the ASEP registry keys to define audit on the rights Create Subkey, Set Value, Create Link, Write DAC, and Delete for the user conducting the action (possibly through identity/group membership, such as, for example, Everyone). -> very likely not logged. |
Event 4657: A registry value was modified. Logged whenever a user modify a registry key for which the audit policy is set to audit usage of the Set Value rights (by the user). Information of interest: - Domain, username, and LogonID of the user conducting the modification. - The registry key modified and the new value defined. |
References
View on GitHub