EventID 9707: Command Execution Started

This event indicates that a logon task defined in Run/RunOnce Registry Keys has executed.

Analysis Value

pageSecurity Identifier pageCommand Line Options pageExecution Account pageParent and Child Information pageEvidence of Execution pageExecution Timestamp

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	❌
Windows XP	❌

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

✅

Server 2003

❌

Windows XP

❌

Artifact Location(s)

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Artifact Interpretation

Field Interpretation Reference

Field	Interpretation	Reference
`System/Security/UserID`	This field provides the SID of the account that the logon task executed under.	Security Identifier
`EventData/Command`	This field shows the full command line options of the task that was run.	Command Line Options
`System/Execution/ProcessID`	This field provides the process ID that the task ran with.	Parent and Child Information
`System/Execution/ThreadID`	This field provides the thread ID that the task ran with.	Parent and Child Information

System/Security/UserID

This field provides the SID of the account that the logon task executed under.

Security Identifier

EventData/Command

This field shows the full command line options of the task that was run.

Command Line Options

System/Execution/ProcessID

This field provides the process ID that the task ran with.

Parent and Child Information

System/Execution/ThreadID

This field provides the thread ID that the task ran with.

Parent and Child Information

The timestamp of the event indicates the time at which the task was executed.

Example

On an example system, the following registry key exists:

Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exampletask
Value: "C:\Temp\example.exe" -silent

During a user logon, the following Microsoft-Windows-Shell-Core/Operational/9707 event is logged:

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <System>
		<Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ed4-e327-447c-9de0-51b652c86108}" />
		<EventID>9707</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>9707</Task>
		<Opcode>1</Opcode>
		<Keywords>0x2000000004010000</Keywords>
		<TimeCreated SystemTime="2023-04-30T15:57:41.0345751Z" />
		<EventRecordID>21933</EventRecordID>
		<Correlation />
		<Execution ProcessID="5072" ThreadID="11548" />
		<Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
		<Computer>HLPC01</Computer>
		<Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" />
	</System>
-   <EventData>
		<Data Name="Command">example.exe" -silent</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated 6 months ago