You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _posts/2024/2024-09-24-run-as-administrator.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ The event to monitor is [4688(S): A new process has been created](https://learn.
15
15
16
16
This event generates every time a new process starts. To recognize the "run-as-administrator" use, it is necessary to check the value of the`Token Elevation Type` field, in particular, it must contain`%%1937`
17
17
18
-
This event is disabled by default, but it can be enabled via GPOhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing for domain machines or using the local security policy for stand alone servers (`Local Security Policy` >`Local Policy` >`Audit Policy` >`Audit Process Tracking`)
18
+
This event is disabled by default, but it[can be enabled via GPO](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing) for domain machines or using the local security policy for stand alone servers (`Local Security Policy` >`Local Policy` >`Audit Policy` >`Audit Process Tracking`)