🔍
Windows Forensic Handbook
  • 👋Welcome
  • Artifacts by Type
    • 🗄️Registry Artifacts
      • Amcache.hve
      • Background Activity Montitor
      • Image File Execution Options Registry Keys
      • System Resource Usage Monitor (SRUM)
      • Run/RunOnce Registry Keys
      • Tracing Registry Keys
      • Services Registry Keys
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
    • 📂Filesystem Artifacts
      • USN Journal
      • Prefetch
      • AutomaticDestinations Jumplists
      • Recycle Bin $I/$R Files
      • Task Scheduler Files
      • Windows Error Reporting Files (.WER)
      • System Resource Usage Monitor (SRUM)
    • 📅Event Log Artifacts
      • Task Scheduler Operational Log
      • TerminalServices-RDPClient
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Security
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
      • System
        • Event ID 7045: Service Installed
      • Microsoft Windows Windows Firewall With Advanced Security
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • TerminalServices-LocalSessionManager
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
      • TerminalServices-RemoteConnectionManager
        • EventID 1149: User Authentication Succeeded
      • Microsoft Windows Shell Core
        • EventID 9707: Command Execution Started
      • Microsoft-Windows-PowerShell
        • EventID 4104: PowerShell Script Block Logging
  • Artifacts by Activity
    • 🏃‍♂️Execution
      • Evidence of Execution
        • Prefetch
        • Amcache.hve
        • System Resource Usage Monitor (SRUM)
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • Windows Error Reporting Files (.WER)
        • Tracing Registry Keys
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • First Executed
        • Prefetch
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Tracing Registry Keys
        • Task Scheduler Operational Log
        • EventID 4104: PowerShell Script Block Logging
      • Last Executed
        • Prefetch
        • Background Activity Montitor
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • Task Scheduler Operational Log
      • Command Line Options
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4688: A new process has been created
        • EventID 9707: Command Execution Started
      • Execution Account
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Task Scheduler Files
        • EventID 4688: A new process has been created
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Parent and Child Information
        • EventID 4688: A new process has been created
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
        • EventID 4104: PowerShell Script Block Logging
      • Execution Timestamp
        • Task Scheduler Operational Log
        • EventID 9707: Command Execution Started
    • 🗒️File Activity
      • File Creation
        • USN Journal
      • File Deletion
        • USN Journal
        • Recycle Bin $I/$R Files
      • Last Modified
        • USN Journal
      • File Origin
      • File Size
        • USN Journal
        • Recycle Bin $I/$R Files
      • File Path
        • USN Journal
        • Prefetch
        • Amcache.hve
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • AutomaticDestinations Jumplists
        • Recycle Bin $I/$R Files
        • Image File Execution Options Registry Keys
        • Task Scheduler Files
        • Windows Error Reporting Files (.WER)
        • Run/RunOnce Registry Keys
        • Services Registry Keys
        • Task Scheduler Operational Log
        • Event ID 7045: Service Installed
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
      • File Hash
        • Amcache.hve
    • 👨‍🔧Account Activity
      • Account Creation Time
      • Group Membership
      • Last Login
      • Login History
        • EventID 4624: An account was successfully logged on
      • Logon ID
        • EventID 4624: An account was successfully logged on
        • EventID 4688: A new process has been created
      • Relative Identifier
      • Security Identifier
        • Background Activity Montitor
        • System Resource Usage Monitor (SRUM)
        • Recycle Bin $I/$R Files
        • EventID 4688: A new process has been created
        • EventID 4624: An account was successfully logged on
        • Event ID 7045: Service Installed
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 9707: Command Execution Started
      • Username
        • EventID 4624: An account was successfully logged on
        • AutomaticDestinations Jumplists
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
    • 🌎Network Activity
      • Evidence of Network Activity
        • Tracing Registry Keys
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Destination Identification
        • EventID 1024: RDP ClientActiveX is trying to connect to the server
      • Source Identification
        • Task Scheduler Files
        • Task Scheduler Operational Log
        • EventID 4624: An account was successfully logged on
        • EventID 21: Session logon succeeded
        • EventID 24: Session has been disconnected
        • EventID 1149: User Authentication Succeeded
      • Transmit Volume
        • System Resource Usage Monitor (SRUM)
      • Firewall Activity
        • EventID 2004: Firewall Rule Added
        • EventID 2005: Firewall Rule Modified
        • EventID 2006: Firewall Rule Deleted
        • EventID 2071: Firewall Rule Added
        • EventID 2073: Firewall Rule Modified
        • EventID 2052: Firewall Rule Deleted
        • EventID 4104: PowerShell Script Block Logging
      • Wireless Activity
    • 🔍Browser Activity
      • History
        • Firefox places.sqlite Database
      • Bookmarks
        • Firefox places.sqlite Database
      • Stored Passwords/Secrets
    • 🖥️System Enumeration
      • Select Registry Key
      • CurrentVersion Registry Key
      • ComputerName Registry Key
      • Interfaces Registry Key
      • NetworkCards Registry Key
      • TimeZoneInformation Registry Key
Powered by GitBook
On this page
  • Analysis Value
  • Operating System Availability
  • Artifact Location(s)
  • Artifact Interpretation
  • Analysis Tips
  • Examples
  1. Artifacts by Type
  2. Event Log Artifacts
  3. Security

EventID 4688: A new process has been created

Last updated 1 year ago

This event, logged to the Security channel, indicates a process was created on the system.

This event requires the Audit Process Creation policy to be configured, which is by default not configured.

Analysis Value

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

⚠️

Server 2019

⚠️

Windows 10

⚠️

Server 2016

⚠️

Windows 8

⚠️

Server 2012

⚠️

Windows 7

⚠️

Server 2008

⚠️

Windows Vista

⚠️

Server 2003

⚠️

Windows XP

⚠️

In Windows XP/Windows Server 2003, the corresponding Event ID is 592.

For the events to contain the full command line for each logged process, an additional policy called Include command line in process creation events must also be configured.

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Security.evtx

Artifact Interpretation

Field
Interpretation
Reference

EventData/SubjectLogonId

Provides the LogonID of the account that spawned the new process

EventData/NewProcessName

Provides the full path of the application that was spawned

EventData/CommandLine

The command line that spawned the new process

EventData/SubjectUserSid

The SID of the account that spawned the process

EventData/SubjectUserName

The username of the account that spawned the new process

EventData/SubjectDomainName

The domain name of the account that spawned the new process, if it exists. If the user is not a domain user, this field will be -

EventData/TokenElevationType

EventData/NewProcessID

The process ID of the newly spawned process

EventData/ProcessID

The process ID of the parent process

Analysis Tips

TokenElevationType and UAC

The EventData\TokenElevationType field relates to UAC. The following interpretations are made possible by this field:

  • %%1936 indicates that UAC is disabled on the system, or that the local administrator account launched the process.

  • %%1937 indicates that the user manually ran the process as an administrator, or that the program requested administrative privileges upon execution.

  • %%1938 indicates that the process did not run with administrator privileges.

In the event that UAC was used to elevate permissions in order to execute an application, this information will be stored in the Target fields instead.

Command Line Options

In the event that Process Tracking is enabled (defaults to disabled), the full command line will be available in the Process Command Line field.

In order for this to be available, the system's policy must be enabled under Computer Configuration/Administrative Templates/System/Audit Process Creation/Include command line in process creation events.

Process Tree

The ProcessID and NewProcessID fields may be used to create a timeline of processes.

Examples

In the following example, notepad.exe was launched by a user through Explorer.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4688</EventID> 
  <Version>2</Version> 
  <Level>0</Level> 
  <Task>13312</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2023-06-25T19:46:45.3571632Z" /> 
  <EventRecordID>16044222</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="7776" /> 
  <Channel>Security</Channel> 
  <Computer>HLPC01</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-3471133136-2963561160-3931775028-1001</Data> 
  <Data Name="SubjectUserName">john.doe</Data> 
  <Data Name="SubjectDomainName">HLPC01</Data> 
  <Data Name="SubjectLogonId">0xd91ae</Data> 
  <Data Name="NewProcessId">0x5194</Data> 
  <Data Name="NewProcessName">C:\Windows\System32\notepad.exe</Data> 
  <Data Name="TokenElevationType">%%1938</Data> 
  <Data Name="ProcessId">0x25d0</Data> 
  <Data Name="CommandLine">"C:\Windows\system32\notepad.exe"</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">-</Data> 
  <Data Name="TargetDomainName">-</Data> 
  <Data Name="TargetLogonId">0x0</Data> 
  <Data Name="ParentProcessName">C:\Windows\explorer.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-8192</Data> 
  </EventData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

In the following example, regedit.exe was launched by a user through the command line. Note the TokenElevationType has a value of %%1937, indicating they were likely prompted for administrative credentials/permissions. This also causes the user information to be stored in the Target fields, as opposed to the Subject fields as seen in the previous example.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4688</EventID> 
  <Version>2</Version> 
  <Level>0</Level> 
  <Task>13312</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2023-06-25T19:48:53.8848049Z" /> 
  <EventRecordID>16044760</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="9852" /> 
  <Channel>Security</Channel> 
  <Computer>HLPC01</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">HLPC01$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="NewProcessId">0x4c7c</Data> 
  <Data Name="NewProcessName">C:\Windows\regedit.exe</Data> 
  <Data Name="TokenElevationType">%%1937</Data> 
  <Data Name="ProcessId">0x4e24</Data> 
  <Data Name="CommandLine">"C:\Windows\regedit.exe"</Data> 
  <Data Name="TargetUserSid">S-1-5-21-3471133136-2963561160-3931775028-1001</Data> 
  <Data Name="TargetUserName">john.doe</Data> 
  <Data Name="TargetDomainName">HLPC01</Data> 
  <Data Name="TargetLogonId">0xd9173</Data> 
  <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-12288</Data> 
  </EventData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

The token elevation type, related to UAC (see )

📅
Logon ID
Security Identifier
Command Line Options
Execution Account
Parent and Child Information
Evidence of Execution
Execution Timestamp
Logon ID
File Path
Command Line Options
Security Identifier
Username
Parent and Child Information
Parent and Child Information
Analysis Tips