<localfile> <log_format>full_command</log_format> <command>%COMSPEC%

1.  <localfile>
2.     <log_format>full_command</log_format>
3.     <command>%COMSPEC% /C type %WINDIR%\system32\drivers\etc\hosts | %WINDIR%\system32\findstr.exe /BVC:"#"</command> <alias>Windows Hosts File</alias>
4.   </localfile>
5.  
6.   <localfile>
7.     <log_format>full_command</log_format>
8.     <command>%WINDIR%\system32\reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s | %WINDIR%\system32\findstr.exe /BV "! REG.EXE"</command> <alias>Windows Registry Run Key</alias>
9.   </localfile>
10.  
11.   <localfile>
12.     <log_format>full_command</log_format>
13.     <command>%WINDIR%\system32\reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /s | %WINDIR%\system32\findstr.exe /BV "! REG.EXE"</command> <alias>Windows Registry RunOnce Key</alias>
14.   </localfile>
15.  
16.   <localfile>
17.     <log_format>full_command</log_format>
18.     <command>%WINDIR%\system32\reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx /s | %WINDIR%\system32\findstr.exe /BV "! REG.EXE"</command> <alias>Windows Registry RunOnceEx Key</alias>
19.   </localfile>
20.  
21. <localfile>
22.     <log_format>full_command</log_format>
23.     <command>%WINDIR%\system32\net.exe localgroup administrators</command>
24.     <!-- command>%WINDIR%\system32\net.exe localgroup administrators | %WINDIR%\system32\findstr.exe /BV /C:"Alias name" /C:"Comment        Administrators have complete" /C:"Members" /C:"The command completed" /C:"---------"</command -->
25.     <alias>Windows Administrators Group Members</alias>
26.   </localfile>