EventID 9707: Command Execution Started

This event indicates that a logon task defined in Run/RunOnce Registry Keys has executed.

Analysis Value

Security IdentifierCommand Line OptionsExecution AccountParent and Child InformationEvidence of ExecutionExecution Timestamp

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	❌
Windows XP	❌

Artifact Location(s)

• %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Artifact Interpretation

Field	Interpretation	Reference
System/Security/UserID	This field provides the SID of the account that the logon task executed under.	Security Identifier
EventData/Command	This field shows the full command line options of the task that was run.	Command Line Options
System/Execution/ProcessID	This field provides the process ID that the task ran with.	Parent and Child Information
System/Execution/ThreadID	This field provides the thread ID that the task ran with.	Parent and Child Information

The timestamp of the event indicates the time at which the task was executed.

Example

On an example system, the following registry key exists:

Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exampletask
Value: "C:\Temp\example.exe" -silent

During a user logon, the following Microsoft-Windows-Shell-Core/Operational/9707 event is logged:

- 
<Event
	xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
-   <System>
		<Provider Name="Microsoft-Windows-Shell-Core" Guid="{30336ed4-e327-447c-9de0-51b652c86108}" />
		<EventID>9707</EventID>
		<Version>0</Version>
		<Level>4</Level>
		<Task>9707</Task>
		<Opcode>1</Opcode>
		<Keywords>0x2000000004010000</Keywords>
		<TimeCreated SystemTime="2023-04-30T15:57:41.0345751Z" />
		<EventRecordID>21933</EventRecordID>
		<Correlation />
		<Execution ProcessID="5072" ThreadID="11548" />
		<Channel>Microsoft-Windows-Shell-Core/Operational</Channel>
		<Computer>HLPC01</Computer>
		<Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" />
	</System>
-   <EventData>
		<Data Name="Command">example.exe" -silent</Data>
	</EventData>
</Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044