• The article explains how to enable and view the logs of Command Prompt executions in Windows 10 and Windows 11 using the registry and the group policy settings.
• The article provides step-by-step instructions for modifying the registry and the group policy settings, as well as how to access the logs in the Event Viewer.

Have you ever wondered what commands are executed in the Command Prompt on your Windows PC? Whether you want to monitor your own activity, troubleshoot a problem, or audit the actions of other users, knowing how to track Command Prompt Executions can be very useful. In this article, I will show you how to enable and view the logs of Command Prompt executions in Windows 10 and Windows 11.

The Problem

The Command Prompt is a powerful tool that allows you to perform various tasks using text commands. However, by default, Windows does not keep a record of what commands are executed in the Command Prompt. This means that you cannot easily see what commands were run, when they were run, and by whom they were run.

This can pose a problem if you want to review your own commands, check for errors, or investigate suspicious activity. For example, you might want to know what commands were executed by a malware program, a remote attacker, or an unauthorized user on your PC. Or you might want to know what commands were executed by a legitimate program, a script, or a batch file that you ran.

Fortunately, there is a way to enable logging of Command Prompt executions in Windows. By doing so, you can track every command that is executed in the Command Prompt and view them in the Event Viewer.

The Solution

To enable logging of Command Prompt executions in Windows, you need to modify the registry and the group policy settings. This requires administrative privileges and some caution, as making incorrect changes to the registry or the group policy can cause serious problems to your system. Therefore, before proceeding, make sure to back up your data and create a system restore point.

Here are the steps to enable logging of Command Prompt executions in Windows:

1. Open the Registry Editor by pressing Win + R, typing regedit, and hitting Enter.
2. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Audit
3. Right-click on the Audit key and select New > DWORD (32-bit) Value.
4. Name the new value ProcessCreationIncludeCmdLine and set its data to 1.
5. Close the Registry Editor.
6. Open the Group Policy Editor by pressing Win + R, typing gpedit.msc, and hitting Enter.
7. Navigate to the following path: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
8. Double-click on Audit Process Creation and check both Success and Failure boxes.
9. Click OK and close the Group Policy Editor.
10. Restart your PC for the changes to take effect.

Now you have enabled logging of Command Prompt executions in Windows. To view the logs, follow these steps:

1. Open the Event Viewer by pressing Win + R, typing eventvwr.msc, and hitting Enter.
2. In the left pane, expand Windows Logs and select Security.
3. In the right pane, click Filter Current Log.
4. In the Filter tab, type 4688 in the Event IDs box and click OK.
5. You will see a list of events with the ID 4688, which indicate process creation events.
6. Double-click on any event to see its details, including the command line that was executed.

Frequently Asked Questions (FAQs)

Here are some frequently asked questions related to tracking Command Prompt executions in Windows:

Question: How can I disable logging of Command Prompt executions in Windows?

Answer: To disable logging of Command Prompt executions in Windows, you need to reverse the steps that you followed to enable it. That is:

1. Set the ProcessCreationIncludeCmdLine value in the registry to 0 or delete it.
2. Uncheck both Success and Failure boxes for Audit Process Creation in the group policy.
3. Restart your PC.

Question: How can I export or save the logs of Command Prompt executions in Windows?

Answer: To export or save the logs of Command Prompt executions in Windows, you can use the Save All Events As option in the Event Viewer. This will allow you to save the filtered events as an XML or CSV file that you can open with other programs.

Question: How can I clear the logs of Command Prompt executions in Windows?

Answer: To clear the logs of Command Prompt executions in Windows, you can use the Clear Log option in the Event Viewer. This will delete all events from the Security log. Alternatively, you can use the wevtutil command-line tool to clear specific events from any log.

Disclaimer

This article is for informational purposes only and does not constitute professional advice. The author is not responsible for any damages or losses that may result from following the instructions in this article. Always backup your data before making any changes to your registry or group policy settings. Use this solution at your own risk.

The post How to Track Command Prompt Executions in Windows 10/11 appeared first on PUPUWEB - Information Resource for Emerging Technology Trends and Cybersecurity.