Q: What exactly is the command-line auditing feature that Microsoft introduced in Windows 8.1 and Windows Server 2012 R2?

A: Command-line auditing is an extension to the Windows auditing and event system. When enabled, it adds the detailed command-line arguments used by a process to ID 4688 events in the Windows security event log.

Command-line auditing isn't enabled by default. To enable it, you must do the following:

  1. You must enable the Audit Process Creation audit policy so that 4688 events are generated. You can enable this audit policy from the following Group Policy Object (GPO) container: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking.
  2. You must enable the Include command line in process creation events GPO setting. You can find this setting in the following GPO container: Computer Configuration\Administrative Templates\System\Audit Process Creation. Alternatively, you can enable this setting in the local system registry by setting the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\
    ProcessCreationIncludeCmdLine_Enabled registry key value to 1.

For security and privacy reasons, Microsoft doesn't recommend that you enable command-line auditing permanently. When this feature is enabled, any user that has read access to Windows security events will be able to read the command-line arguments for any successfully created process. Keep in mind that command-line commands might contain confidential information, including passwords and other user data. You can find more information about the command-line auditing feature in the TechNet article "Command line process auditing."