You can configure User Environment Manager to log the details of elevated application launches and, if desired, de-elevated child processes.

The default behavior of the PrivilegeElevationEventLog setting is to log the details of the following events to the Windows event log.
  • An application privilege is elevated.
  • An elevated application launches a de-elevated child process.
Setting Value
PrivilegeElevationEventLog To enable this setting, set the value to 1.
DeElevationEventLog If the value of the PrivilegeElevationEventLog setting is 1 but you do not want User Environment Manager to log de-elevated child processes, too, set this value to 0.