English Subforum > ReHIPS

Can execute Sub-Programs: Alert -- what command lines does it monitor?


I am trying to understand "Can execute Sub-Programs: Alert" .
I opened an elevated command prompt and entered the command:
sc delete ProcLoggerSvc
The command was executed.
If cmd.exe called sub-program sc.exe and passed it a command, why was there no alert?

What program you have Sub-Programs Alert rule for? cmd or sc?
And just in case make sure you set it for the correct real user, the one you test from.

cmd.exe, like it is in default settings.
So that's the answer, I guess. The way I did it, sc.exe would need to have the Sub-Programs Alert rule. In other words, it is the executed program that counts, not the executor.

Yup, that's the answer.
Let's take a closer look: cmd.exe starts sc.exe with parameters. So:
-parent: cmd.exe
-process: sc.exe
Parameters are checked for the process, it's sc.exe. So you don't have any alerts.


[0] Message Index

Go to full version