Event ID: 4689

A process has exited

A process has exited.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Process Information:
    Process ID:         %6
    Process Name:       %7
    Exit Status:        %5
Microsoft Documentation

Event ID - 4689


Recommended Auditing
It's recommended to always audit this event for security and forensic reasons.

Volume
This event is logged for every process that exits on a system, as such the volume of events depends on process activity. Generally the volume will be low to medium.


The Logon ID correlates with the Logon ID from the New Logon section of event 4624 which is logged when a user logs on to Windows.

EventSentry includes Process Tracking which shows all process activity on a monitored system without the need to manually review and correlate this event.



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any john.doe
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0xb3017
Exit Status Status %5 Any 0xc000042c
Process ID ProcessId %6 Any 0x11888
Process Name ProcessName %7 Any C:\Windows\System32\mmc.exe


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Process Termination"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List