Audit process tracking

This security setting determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access.

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these process-related activities.

If Failure auditing is enabled, an audit entry is generated each time the OS fails to perform one of these activities.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Audit Policy

Default: 

No auditing

Supported on: 

At least Windows XP SP2, Windows Server 2003

Registry settings: 

Audit Policy security settings are not registry keys.

Reboot required: 

No

Related content