Detecting process-cmdline of programs running from Run/RunOnce Auto startup locations using events Microsoft-Windows-Shell-Core/Operational EID 9707/9708 (turned on by default ... good for forensics ... execution history and count)
Events File Path: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx
Below a summary of programs running or that were run from Run/RunOnce for one machine:
Those events are extremely valuable to find traces of previous infections using Run or RunOnce as a startup mechanism.
Post a Comment