03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76690860 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x8ec New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76690367 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x143c New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76690330 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x1390 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76690306 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16c8 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76687675 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1148 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76686952 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x1480 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76686901 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16fc New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76684216 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11a4 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76683589 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17e4 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76683588 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0xc70 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76683545 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe84 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76681030 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1710 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76680326 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x688 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76680298 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0xc48 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76680296 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15b4 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76677762 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1134 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76677178 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x152c New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76677172 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x14f8 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76677137 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15a4 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76674445 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1718 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76673732 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0xca0 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76673712 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc70 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76671371 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa5c New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76670666 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x1510 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76670634 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x17a4 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76670618 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf1c New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76667766 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x158c New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76667129 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x17bc New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76667127 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1020 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76664522 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13ec New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76663752 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x374 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76663751 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0xef8 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76663711 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x159c New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76661154 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11f8 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76660588 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x438 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76660586 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xef8 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76657791 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf9c New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76657775 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-21-3362573570-2432378073-3162174044-500 Account Name: Administrator Account Domain: KKCTF Logon ID: 0x66C44 Process Information: New Process ID: 0x1224 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76657257 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x171c New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76657256 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x16a8 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76657213 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x12c0 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76654532 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1514 New Process Name: C:\Windows\System32\taskhostex.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76654027 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe68 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76653758 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1480 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76653757 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: New Process ID: 0x1730 New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/30/2021 06:02:09 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win2k12sdc.kkctf.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=76653706 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: WIN2K12SDC$ Account Domain: KKCTF Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd3c New Process Name: C:\Windows\System32\taskhost.exe Token Elevation Type: TokenElevationTypeDefault (1) Creator Process ID: 0x3ac Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.