Hide this message
Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at firstname.lastname@example.org
This article details how you can use LEM to monitor Windows application and process starts and stops.
Enable auditing for Process Creation and Process Termination events in Group Policy. Those subcategories can be found under Computer-Configuration > Windows-Settings > Security-Settings > Advanced Audit Policy Configuration > System Audit Policies > Detail Tracking. For more information on changing audit policies and best practices, see Audit Policies and Best Practices for LEM.
Once the auditing is in place, you can find these events in LEM by going to Explore > nDepth and searching for ProcessStart and ProcessStop events. For your reference, the ProcessStart event correlates to Event ID 4688 and the ProcessStop event correlates to Event ID 4689 in your Windows Application log.