EventID 9707: Command Execution Started
This event indicates that a logon task defined in Run/RunOnce Registry Keys has executed.
Analysis Value
pageSecurity IdentifierpageCommand Line OptionspageExecution AccountpageParent and Child InformationpageEvidence of ExecutionpageExecution TimestampOperating System Availability
Major Version | Support | Major Version | Support |
---|---|---|---|
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ✅ | Server 2008 | ✅ |
Windows Vista | ✅ | Server 2003 | ❌ |
Windows XP | ❌ |
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx
Artifact Interpretation
Field | Interpretation | Reference |
---|---|---|
| This field provides the SID of the account that the logon task executed under. | |
| This field shows the full command line options of the task that was run. | |
| This field provides the process ID that the task ran with. | |
| This field provides the thread ID that the task ran with. |
The timestamp of the event indicates the time at which the task was executed.
Example
On an example system, the following registry key exists:
During a user logon, the following Microsoft-Windows-Shell-Core/Operational/9707
event is logged:
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated