Audit Process Termination
Audit Process Termination determines whether the operating system generates audit events when process has exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
This policy setting can help you track user activity and understand how the computer is used.
Event volume: Low to Medium, depending on system usage.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as Audit Process Creation subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with 4688 event. If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as Audit Process Creation subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with 4688 event. If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as Audit Process Creation subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with 4688 event. If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Events List:
- 4689(S): A process has exited.