Determining what has run & why • SysInternals Process Monitor • Event logs • Standard Entries • Process Creation Auditing • Gpresult • Scheduled Tasks • Logon scripts • Users • Group & Local policy • … and don’t forget device drivers, especially file system filters, & services @guyrleech
SysInternals process Monitor • Capture start/stop on single user OS • Sethc / utilman hijack (crude & AV products now stopping) • Remote PowerShell session (elegant) • SysInternals psexec (old fashioned but not WinRM dependent) • Process Tree • Look at creation times, command lines, parent processes & durations • Filter out unwanted & noise, e.g. other sessions (but not session zero) @guyrleech
Event Logs • There are more than 4 event logs! Yes, really • 494 on my Win10 21H2 laptop with 1284 providers & 161 containing events • Search them all during the logon period • PowerShell to the rescue (again) • Process Creation/Termination auditing + command line • Another reason not to use clear text passwords on command lines • Push into csv or grid view for further filtering/saving @guyrleech
ControlUp Logon Analysis Script • Doesn’t need ControlUp to run • Download from script library • Needs logon and process creation/termination auditing in place • Just need to pass domain\user • Splits out phases including group policy, logon script & printer mappings @guyrleech
Active Setup • Designed for one time app setup for users (or if app version changes) • Controlled via HKLM\Software\Microsoft\Active Setup (& Wow6432node) • Runs command in “StubPath” value • Copies keys run to HKCU • Can disable by removing some or all HKLM keys • DO NOT USE! AVOID! DELETE KEYS! • And now we have AppX logon “stuff” @guyrleech