Microsoft Security Advisory 3004375
Update for Windows Command Line Auditing
Published: February 10, 2015
Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012 that expands the Audit Process Creation policy to include the command information that is passed to every process. This is a new feature that provides valuable information to help administrators investigate, monitor, and troubleshoot security-related issues on their networks. Note that supported editions of Windows 8.1 and Windows Server 2012 R2 already support this feature. For more information and download links for manual installation, see Microsoft Knowledge Base Article 3004375.
Recommendation. Please see the Suggested Actions section of this advisory for more information.
This advisory discusses the following software.
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows Server 2012
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
What is the scope of the advisory?
The purpose of this advisory is to notify customers that an update is available for supported editions of Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012 that expands the Windows Command Line Audit Process Creation policy to include the command information that is passed to every process. This new feature, when enabled and configured, creates an event log every time a process is created and includes the command line information passed to that process. The events will be logged to the existing event ID 4688 and saved to the Windows Security Log. Monitoring these events can provide valuable information to help administrators investigate and troubleshoot security-related issues.
How do I get this update?
The functionality discussed in this advisory can be obtained by installing the 3004375 update directly (see Microsoft Knowledge Base Article 3004375). Note that the update is also bundled with the updates being released in MS15-011 (see Microsoft Knowledge Base Article 3000483) and MS15-015 (see Microsoft Knowledge Base Article 3031432). Either update will install the 3004375 update automatically.
What is the Audit Process Creation policy?
The Audit Process Creation policy is a security audit policy that determines whether or not the operating system generates an audit event when a process is created. When enabled, an event log with ID 4688 is generated and saved to the Windows Security Log. Since the policy is disabled by default, no audit events are logged when processes are created unless the policy is enabled. Furthermore, the Audit Process Creation Policy must be enabled for the expanded command line auditing feature described in this security advisory to work. For more information about the Audit Process Creation Policy, please see the Audit Process Creation.
How does this update change security event ID 4688?
After installing and configuring this security update, administrators will see a newly added element in the 4688 security event called Process Command Line, which contains the entire command that was executed for the event in question.
How do I configure the features that are provided with this update?
The features that are provided with this update are disabled by default. After installing the update, administrators will first need to enable the Audit Process Creation policy, and then enable the feature for expanded logging. For more information, see Microsoft Knowledge Base Article 3004375.
Why is the update not available for supported editions of Windows 8.1 and Windows Server 2012 R2?
The security update is not being provided for supported editions of Windows 8.1 and Windows Server 2012 R2 because the new features discussed in this advisory are already present in these operating systems.
Apply the update for supported releases of Microsoft Windows
The majority of customers have automatic updating enabled and will not need to take any action because the 3004375 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install the 3004375 update manually, Microsoft recommends that customers apply the update using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 3004375.
Enable Audit Process Creation policy and enable Expanded Logging
After installing the update, administrators will first need to enable the Audit Process Creation policy, and then enable the feature for expanded logging. For more information, see Microsoft Knowledge Base Article 3004375.
Additional Suggested Actions
Protect your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
Keep Microsoft Software Updated
Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 10, 2015): Advisory published.