EventID 9707: Command Execution Started

This event indicates that a logon task defined in Run/RunOnce Registry Keys has executed.

Analysis Value

pageSecurity IdentifierpageCommand Line OptionspageExecution AccountpageParent and Child InformationpageEvidence of ExecutionpageExecution Timestamp

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Artifact Interpretation



This field provides the SID of the account that the logon task executed under.


This field shows the full command line options of the task that was run.


This field provides the process ID that the task ran with.


This field provides the thread ID that the task ran with.

The timestamp of the event indicates the time at which the task was executed.


On an example system, the following registry key exists:

Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exampletask
Value: "C:\Temp\example.exe" -silent

During a user logon, the following Microsoft-Windows-Shell-Core/Operational/9707 event is logged:

-   <System>
		<Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ed4-e327-447c-9de0-51b652c86108}" />
		<TimeCreated SystemTime="2023-04-30T15:57:41.0345751Z" />
		<Correlation />
		<Execution ProcessID="5072" ThreadID="11548" />
		<Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" />
-   <EventData>
		<Data Name="Command">example.exe" -silent</Data>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated