Event ID: 4689

A process has exited

A process has exited.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Process Information:
    Process ID:         %6
    Process Name:       %7
    Exit Status:        %5

The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.

EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.

Auditing:     Always

It's recommended to always audit this event for security and forensic reasons.

Volume:     Medium High

This event is logged for every process that exits on a system, as such the volume of events depends on process activity. Generally the volume will be medium to high.

Microsoft Documentation

Event ID - 4689

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any john.doe
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0xb3017
Exit Status Status %5 Any 0xc000042c
Process ID ProcessId %6 Any 0x11888
Process Name ProcessName %7 Any C:\Windows\System32\mmc.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Process Termination"

LEFT/RIGHT arrow keys for navigation

Back to List