Event ID: 4688

A new process has been created

A new process has been created.

(Creator) Subject:
    Security ID:          %1
    Account Name:         %2
    Account Domain:       %3
    Logon ID:             %4

Target Subject:
    Security ID:          %10 [Windows 10+]
    Account Name:         %11 [Windows 10+]
    Account Domain:       %12 [Windows 10+]
    Logon ID:             %13 [Windows 10+]

Process Information:
    New Process ID:       %5
    New Process Name:     %6
    Token Elevation Type: %7
    Mandatory Label:      %15 [Windows 10+]
    Creator Process ID:   %8
    Creator Process Name: %14 [Windows 10+]
    Process Command Line: %9 [Windows 8.1+]
Microsoft Documentation

Event ID - 4688


Recommended Auditing
It's recommended to always audit this event for security and forensic reasons.

Volume
This event is logged for every process that is started on a system, as such the volume of events depends on process activity. Generally the volume will be low to medium.


The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.

The Sysmon utility can log additional details about processes, such as a hash of the executable, network connections initiated by the process, loading of drivers and more.

EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.



Name Field Insertion String OS Example
Subject Security ID SubjectUserSid %1 Any S-1-5-18
Subject Account Name SubjectUserName %2 Any WIN-GG82ULGC9GO$
Subject Account Domain SubjectDomainName %3 Any DOMAIN
Subject Logon ID SubjectLogonId %4 Any 0x3e7
New Process ID NewProcessId %5 Any 0x2bc
New Process Name NewProcessName %6 Any C:\Windows\System32\rundll32.exe
Token Elevation Type TokenElevationType %7 Any %%1938
Creator Process ID ProcessId %8 Any 0xe74
Process Command Line CommandLine %9 Win8.1/2012R2+
Security ID TargetUserSid %10 Win10/2016+ S-1-5-21-1377283216-344919071-3415362939-1104
Account Name TargetUserName %11 Win10/2016+ User
Account Domain TargetDomainName %12 Win10/2016+ DOMAIN
Logon ID TargetLogonId %13 Win10/2016+ 0x4a5af0
Creator Process Name ParentProcessName %14 Win10/2016+ C:\Windows\explorer.exe
Mandatory Label MandatoryLabel %15 Win10/2016+ View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Process Creation"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List