Event ID: 4689A process has exited
A process has exited. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Process Information: Process ID: %6 Process Name: %7 Exit Status: %5
It's recommended to always audit this event for security and forensic reasons.
This event is logged for every process that exits on a system, as such the volume of events depends on process activity. Generally the volume will be low to medium.
The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.
EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Process Termination"
LEFT/RIGHT arrow keys for navigationBack to List