Audit Policy: Detailed Tracking: Process Creation
This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include:
? 4688: A new process has been created.
? 4696: A primary token was assigned to process.
Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 200 ...