Event ID: 4688

A new process has been created

A new process has been created.

(Creator) Subject:
    Security ID:          %1
    Account Name:         %2
    Account Domain:       %3
    Logon ID:             %4

Target Subject:
    Security ID:          %10 [Windows 10+]
    Account Name:         %11 [Windows 10+]
    Account Domain:       %12 [Windows 10+]
    Logon ID:             %13 [Windows 10+]

Process Information:
    New Process ID:       %5
    New Process Name:     %6
    Token Elevation Type: %7
    Mandatory Label:      %15 [Windows 10+]
    Creator Process ID:   %8
    Creator Process Name: %14 [Windows 10+]
    Process Command Line: %9 [Windows 8.1+]

The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.

The Sysmon utility can log additional details about processes, such as a hash of the executable, network connections initiated by the process, loading of drivers and more.

EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.

Auditing:     Always

It's recommended to always audit this event for security and forensic reasons.

Volume:     Medium High

This event is logged for every process that is started on a system, as such the volume of events depends on process activity. Generally the volume will be medium to high.

ISO 27001:2013 A.9.4.4
NIST 800-171: 3.1.5
NIST SP 800-53: AC-6 (8)
CMMC v2 L2: AC.L2-3.1.5

Microsoft Documentation

Event ID - 4688

Name Field Insertion String OS Example
Subject Security ID SubjectUserSid %1 Any S-1-5-18
Subject Account Name SubjectUserName %2 Any WIN-GG82ULGC9GO$
Subject Account Domain SubjectDomainName %3 Any DOMAIN
Subject Logon ID SubjectLogonId %4 Any 0x3e7
New Process ID NewProcessId %5 Any 0x2bc
New Process Name NewProcessName %6 Any C:\Windows\System32\rundll32.exe
Token Elevation Type TokenElevationType %7 Any %%1938
Creator Process ID ProcessId %8 Any 0xe74
Process Command Line CommandLine %9 Win8.1/2012R2+
Security ID TargetUserSid %10 Win10/2016+ S-1-5-21-1377283216-344919071-3415362939-1104
Account Name TargetUserName %11 Win10/2016+ User
Account Domain TargetDomainName %12 Win10/2016+ DOMAIN
Logon ID TargetLogonId %13 Win10/2016+ 0x4a5af0
Creator Process Name ParentProcessName %14 Win10/2016+ C:\Windows\explorer.exe
Mandatory Label MandatoryLabel %15 Win10/2016+ View Codes

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Process Creation"

LEFT/RIGHT arrow keys for navigation

Back to List