Event ID: 4689

A process has exited 

A process has exited.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Process Information:
    Process ID:         %6
    Process Name:       %7
    Exit Status:        %5


The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.

EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.

Auditing:     Always

It's recommended to always audit this event for security and forensic reasons.


Volume:     Medium High

This event is logged for every process that exits on a system, as such the volume of events depends on process activity. Generally the volume will be medium to high.


Microsoft Documentation

Event ID - 4689



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any john.doe
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0xb3017
Exit Status Status %5 Any 0xc000042c
Process ID ProcessId %6 Any 0x11888
Process Name ProcessName %7 Any C:\Windows\System32\mmc.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Process Termination"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Detailed Tracking

Audit Subcategory:
Process Termination
Legacy Events:
593

Correlated Events:
4624 4688

LEFT/RIGHT arrow keys for navigation

Back to List