Event ID 5

Process terminated

Source:

Microsoft-Windows-Sysmon

Category:

Process terminated (rule: ProcessTerminate)

Process terminated:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    Image: %5!s!
    User: %6!s!

The process terminate event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.

Auditing: Conditional

Similar to event id 1, this event corresponds to event id 4689 of Windows. If event 1 (ProcessCreate) is already enabled, then this event ("ProcessTerminate") should be enabled as well.

Volume: Medium High

LEFT/RIGHT arrow keys for navigation

Back to List