Windows 11 must have command line process auditing events enabled for failures.

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows 11 must have command line process auditing events enabled for failures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257770	WN11-AU-000585	SV-257770r958412_rule		Medium

Description
When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.

STIG	Date
Microsoft Windows 11 Security Technical Implementation Guide	2024-06-10

Details

Check Text ( C-61511r953802_chk )
Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policy >> Detailed Tracking >> Audit Process Creation. If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text (F-61435r956042_fix)
Go to Computer Configuration >> Windows Settings >>Security Settings>> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> Set "Audit Process Creation" to "Failure".