Windows 10 must have command line process auditing events enabled for failures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257589	WN10-AU-000585	SV-257589r930680_rule		Medium

Description
When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.

STIG	Date
Microsoft Windows 10 Security Technical Implementation Guide	2023-09-29

Details

Check Text ( C-61326r930679_chk )
Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure". If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text (F-61250r930669_fix)
Go to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set "Audit Process Creation" to "Failure".