EventID 9707: Command Execution Started
This event indicates that a logon task defined in Run/RunOnce Registry Keys has executed.
Analysis Value
Security IdentifierCommand Line OptionsExecution AccountParent and Child InformationEvidence of ExecutionExecution TimestampOperating System Availability
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
❌
Windows XP
❌
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx
Artifact Interpretation
System/Security/UserID
This field provides the SID of the account that the logon task executed under.
EventData/Command
This field shows the full command line options of the task that was run.
System/Execution/ProcessID
This field provides the process ID that the task ran with.
System/Execution/ThreadID
This field provides the thread ID that the task ran with.
Example
On an example system, the following registry key exists:
Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exampletask
Value: "C:\Temp\example.exe" -silentDuring a user logon, the following Microsoft-Windows-Shell-Core/Operational/9707 event is logged:
-
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ed4-e327-447c-9de0-51b652c86108}" />
<EventID>9707</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>9707</Task>
<Opcode>1</Opcode>
<Keywords>0x2000000004010000</Keywords>
<TimeCreated SystemTime="2023-04-30T15:57:41.0345751Z" />
<EventRecordID>21933</EventRecordID>
<Correlation />
<Execution ProcessID="5072" ThreadID="11548" />
<Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
<Computer>HLPC01</Computer>
<Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" />
</System>
- <EventData>
<Data Name="Command">example.exe" -silent</Data>
</EventData>
</Event>This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated