Prevent Command Line Logging via Registry

Last updated on: March 10, 2026

In this page

About the rule
Rule journey
Rule Requirement
Detection
Future actions

Rule name	Rule type	Log sources	MITRE ATT&CK tags	Severity
Prevent Command Line Logging via Registry	Standard	Windows, Sysmon	Persistence: Modify Registry (T1112)	Critical

About the rule

Rule Type

Standard

Rule Description

n This analytic identifies potential malicious activity aimed at evading detection by disabling command line logging in the Windows Security event log. Specifically, it monitors for modifications to the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\ProcessCreationIncludeCmdLine_Enabled. This registry value, when set to 0, prevents the logging of command-line arguments for processes created on the system.

Why this rule?

This modification disables process command-line logging, removing critical forensic data that security teams use to investigate attacks. Attackers use this technique to hide their malicious commands and scripts from detection. Identifying this change is crucial for maintaining visibility into potentially malicious activity.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Privilege Escalation → Defense Evasion → Registry Modification (ProcessCreationIncludeCmdLine_Enabled) → Execution of malicious commands → Evasion of command-line based detection rules.

Impact

Blindness in security operations center (SOC) monitoring. Many detection rules rely on command-line arguments to identify malicious behavior; disabling this feature renders those rules ineffective.

Rule Requirement

Prerequisites

Enable Registry auditing for the path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit.

Criteria


                            Action1:
actionname = "Registry Event" AND ( OBJECTNAME contains "Windows\CurrentVersion\Policies\System" ) AND ( OBJECTNAME endswith "ProcessCreationIncludeCmdLine_Enabled" OR  OBJECTVALUENAME = "ProcessCreationIncludeCmdLine_Enabled" ) AND ( CHANGES = "0"  OR  INFORMATION = "DWORD (0x00000000)" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.PROCESSNAME,Action1.OBJECTNAME,Action1.OBJECTVALUENAME,Action1.ACCESSES,Action1.USERNAME,Action1.DOMAIN,Action1.PREVVAL,Action1.CHANGES,Action1.INFORMATION

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Persistence: Modify Registry (T1112)

Future actions

Known False Positives

Rare in production. Might occur during system hardening audits or if an administrator is testing different audit policy configurations.

Next Steps

Identification: Identify the account that changed the registry value to '0'.
Analysis: Check if this change was followed by suspicious process executions that now lack command-line detail.
Response: Immediately revert the registry value to '1' and investigate the source of the unauthorized configuration change.

Mitigation

ID	Mitigation	Description
M1024	Restrict Registry Permissions	Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Resource Library

Expert Talks

SIEM basics

Cybersecurity glossary

Cloud Security

Academy

Documentation

Integrations