Process creation does not log event ID 4688 correctly

[bugglebaggle]

Please use the following bug reporting template to help produce actionable and reproducible issues. Please try to ensure that the reproduction is minimal so that the team can go through more bugs!

• A brief description
  Creating a new process within the Linux subsystem causes an incomplete Process Creation event (ID 4688) to be added the Security event log. The New Process Name and Process Command Line fields are blank.

• Expected results
  Creating a new process within the Linux subsystem should log the same quality of information as normal Windows process creation. New Process Name should be the full pathname to the process, and Process Command Line should be the command line.

• Actual results (with terminal output if applicable)
  Here is an excerpt from the XML view of a Linux subsystem Process Creation event:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4688</EventID> 
    <Version>2</Version> 
    <Level>0</Level> 
    <Task>13312</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8020000000000000</Keywords> 
    <TimeCreated SystemTime="2017-02-23T01:23:45.678901234Z" /> 
    <EventRecordID>21272</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="4" ThreadID="8916" /> 
    <Channel>Security</Channel> 
    <Computer>DESKTOP-XXXXXXX</Computer> 
    <Security /> 
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX-1001</Data> 
    <Data Name="SubjectUserName">XXXXXXXX</Data> 
    <Data Name="SubjectDomainName">DESKTOP-XXXXXXX</Data>
    <Data Name="SubjectLogonId">0x214XXX</Data> 
    <Data Name="NewProcessId">0x2470</Data> 
    <Data Name="NewProcessName" /> 
    <Data Name="TokenElevationType">%%1938</Data> 
    <Data Name="ProcessId">0x24a8</Data> 
    <Data Name="CommandLine" /> 
    <Data Name="TargetUserSid">S-1-0-0</Data> 
    <Data Name="TargetUserName">-</Data> 
    <Data Name="TargetDomainName">-</Data> 
    <Data Name="TargetLogonId">0x0</Data> 
    <Data Name="ParentProcessName">bash</Data> 
    <Data Name="MandatoryLabel">S-1-16-8192</Data> 
  </EventData>
</Event>

• Your Windows build number
  14393.693

• Steps / All commands required to reproduce the error from a brand new installation

1. Using the Local Group Policy Editor, under Computer Configuration -> Windows Settings -> Security Settings -> Local Policy -> Audit Policy, enable Audit Process Tracking.
2. Run any Windows program, e.g. notepad.exe.
3. In the Event Viewer, check the Security log for a Process Creation event (filter by ID 4688) corresponding to that program.
4. Open a Linux subsystem bash prompt, and run any command that will create a new process, e.g. vim.
5. In the Event Viewer, check the Security log for a corresponding Process Creation event. This can be identified where the Creator Process Name is bash. In this event, both the New Process Name and Process Command Line will be blank.

• Strace of the failing command
  Running the command using strace -e execve confirms that the system call is being made to execute a program.

• Required packages and commands to install
  Nothing other than the Linux subsystem itself.

See our contributing instructions for assistance.

[benhillis]

We have made significant changes to process notifications since Windows 10 Anniversary Update. Please see this blog for more information: https://blogs.msdn.microsoft.com/wsl/2016/11/01/wsl-antivirus-and-firewall-compatibility/