Event ID 4688
A new process has been created
A new process has been created.
(Creator) Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Target Subject:
Security ID: %10 [Windows 10+]
Account Name: %11 [Windows 10+]
Account Domain: %12 [Windows 10+]
Logon ID: %13 [Windows 10+]
Process Information:
New Process ID: %5
New Process Name: %6
Token Elevation Type: %7
Mandatory Label: %15 [Windows 10+]
Creator Process ID: %8
Creator Process Name: %14 [Windows 10+]
Process Command Line: %9 [Windows 8.1+]
The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.
The Sysmon utility can log additional details about processes, such as a hash of the executable, network connections initiated by the process, loading of drivers and more.
EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.
Auditing:
Always
It's recommended to always audit this event for security and forensic reasons.
Volume:
Medium
High
This event is logged for every process that is started on a system, as such the volume of events depends on process activity. Generally the volume will be medium to high.
ISO 27001:2013 A.9.4.4
NIST 800-171: 3.1.5
NIST SP 800-53: AC-6 (8)
CMMC v2 L2: AC.L2-3.1.5
| Name |
Field |
Insertion String |
OS |
Example |
|
|
|
Subject Security ID |
SubjectUserSid |
%1 |
Any |
S-1-5-18
|
|
|
Subject Account Name |
SubjectUserName |
%2 |
Any |
WIN-GG82ULGC9GO$
|
|
|
Subject Account Domain |
SubjectDomainName |
%3 |
Any |
DOMAIN
|
|
|
Subject Logon ID |
SubjectLogonId |
%4 |
Any |
0x3e7
|
|
|
New Process ID |
NewProcessId |
%5 |
Any |
0x2bc
|
|
|
New Process Name |
NewProcessName |
%6 |
Any |
C:\Windows\System32\rundll32.exe
|
|
|
Token Elevation Type |
TokenElevationType |
%7 |
Any |
%%1938
|
|
|
Creator Process ID |
ProcessId |
%8 |
Any |
0xe74
|
|
|
Process Command Line |
CommandLine |
%9 |
Win8.1/2012R2+ |
|
|
|
Security ID |
TargetUserSid |
%10 |
Win10/2016+ |
S-1-5-21-1377283216-344919071-3415362939-1104
|
|
|
Account Name |
TargetUserName |
%11 |
Win10/2016+ |
User
|
|
|
Account Domain |
TargetDomainName |
%12 |
Win10/2016+ |
DOMAIN
|
|
|
Logon ID |
TargetLogonId |
%13 |
Win10/2016+ |
0x4a5af0
|
|
|
Creator Process Name |
ParentProcessName |
%14 |
Win10/2016+ |
C:\Windows\explorer.exe
|
|
|
Mandatory Label |
MandatoryLabel |
%15 |
Win10/2016+ |
View Codes
|
SID of account that requested the “create process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user.
The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
The name of the account that requested the “create process” operation.
Subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputarName”.
Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Full path and the name of the executable for the new process.
TokenElevationTypeDefault (1): Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
TokenElevationTypeFull (2): Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
TokenElevationTypeLimited (3): Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process Information\New Process ID.
This feature needs to be enabled either via group policy (Administrative Templates\System\Audit Process Creation\Include command line in process creation events) or via the registry (set HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled to 1).
SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
The name of the target account.
Target account’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: DOMAIN
Lowercase full domain name: domain.local
Uppercase full domain name: DOMAIN.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “ComputerName”.
Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Full path and the name of the executable for the process.
SID of integrity label which was assigned to the new process. See notes for list of values
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Process Creation"
Legacy Events:
592
Correlated Events:
4689
LEFT/RIGHT arrow keys for navigation
Back to List