-
Notifications
You must be signed in to change notification settings - Fork 1
/
audit-custom-view.ps1
36 lines (32 loc) · 1.38 KB
/
audit-custom-view.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Create the "Process Creation" Event Viewer сustom view to log the executed processes and their arguments
Function EnableEventViewerCustomView {
Write-Output "Enable Event Viewer Custom View ..."
# Enable events auditing generated when a process is created (starts)
auditpol /set /subcategory:"{0CCE922B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
# Include command line in process creation events
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -Name ProcessCreationIncludeCmdLine_Enabled -PropertyType DWord -Value 1 -Force
$XML = @"
<ViewerConfig>
<QueryConfig>
<QueryParams>
<UserQuery />
</QueryParams>
<QueryNode>
<Name>$($Localization.EventViewerCustomViewName)</Name>
<Description>$($Localization.EventViewerCustomViewDescription)</Description>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4688)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>
"@
if (-not (Test-Path -Path "$env:ProgramData\Microsoft\Event Viewer\Views"))
{
New-Item -Path "$env:ProgramData\Microsoft\Event Viewer\Views" -ItemType Directory -Force
}
# Save ProcessCreation.xml in the UTF-8 without BOM encoding
Set-Content -Path "$env:ProgramData\Microsoft\Event Viewer\Views\ProcessCreation.xml" -Value $XML -Encoding Default -NoNewline -Force
}