# EventID 4688: A new process has been created

This event, logged to the `Security` channel, indicates a process was created on the system.

{% hint style="warning" %}
This event requires the `Audit Process Creation` policy to be configured, which is by default not configured.
{% endhint %}

## Analysis Value

{% content-ref url="/pages/xrUgKsmrRTjjCfRttgUo" %}
[Logon ID](/windows-forensics/artifacts-by-activity/account-activity/logon-id.md)
{% endcontent-ref %}

{% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %}
[Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)
{% endcontent-ref %}

{% content-ref url="/pages/agskwSdYbi8RGqMN5CmF" %}
[Command Line Options](/windows-forensics/artifacts-by-activity/execution/command-line-options.md)
{% endcontent-ref %}

{% content-ref url="/pages/7PsIbY4z0aa7D6FfSddw" %}
[Execution Account](/windows-forensics/artifacts-by-activity/execution/execution-account.md)
{% endcontent-ref %}

{% content-ref url="/pages/qnouj5GLuiwXN3ZPDBUb" %}
[Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md)
{% endcontent-ref %}

{% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %}
[Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md)
{% endcontent-ref %}

{% content-ref url="/pages/RRVYscBDy6RJr6mTXYPa" %}
[Execution Timestamp](/windows-forensics/artifacts-by-activity/execution/execution-timestamp.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ⚠️      | Server 2019   | ⚠️      |
| Windows 10    | ⚠️      | Server 2016   | ⚠️      |
| Windows 8     | ⚠️      | Server 2012   | ⚠️      |
| Windows 7     | ⚠️      | Server 2008   | ⚠️      |
| Windows Vista | ⚠️      | Server 2003   | ⚠️      |
| Windows XP    | ⚠️      |               |         |

{% hint style="warning" %}
In Windows XP/Windows Server 2003, the corresponding Event ID is `592`.
{% endhint %}

{% hint style="warning" %}
For the events to contain the full command line for each logged process, an additional policy called `Include command line in process creation events` must also be configured.
{% endhint %}

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Security.evtx`

## Artifact Interpretation

<table data-full-width="false"><thead><tr><th>Field</th><th width="297.3333333333333">Interpretation</th><th>Reference</th></tr></thead><tbody><tr><td><code>EventData/SubjectLogonId</code></td><td>Provides the LogonID of the account that spawned the new process</td><td><a data-mention href="/pages/xrUgKsmrRTjjCfRttgUo">/pages/xrUgKsmrRTjjCfRttgUo</a></td></tr><tr><td><code>EventData/NewProcessName</code></td><td>Provides the full path of the application that was spawned</td><td><a data-mention href="/pages/V3cDcDJogcr4slquHEzB">/pages/V3cDcDJogcr4slquHEzB</a></td></tr><tr><td><code>EventData/CommandLine</code></td><td>The command line that spawned the new process</td><td><a data-mention href="/pages/agskwSdYbi8RGqMN5CmF">/pages/agskwSdYbi8RGqMN5CmF</a></td></tr><tr><td><code>EventData/SubjectUserSid</code></td><td>The SID of the account that spawned the process</td><td><a data-mention href="/pages/LRJZQZsAd12i4mDfGwuK">/pages/LRJZQZsAd12i4mDfGwuK</a></td></tr><tr><td><code>EventData/SubjectUserName</code></td><td>The username of the account that spawned the new process</td><td><a data-mention href="/pages/xb2jtwMPGcVKWaKDBigr">/pages/xb2jtwMPGcVKWaKDBigr</a></td></tr><tr><td><code>EventData/SubjectDomainName</code></td><td>The domain name of the account that spawned the new process, if it exists. If the user is not a domain user, this field will be <code>-</code></td><td></td></tr><tr><td><code>EventData/TokenElevationType</code></td><td>The token elevation type, related to UAC (see <a data-mention href="#analysis-tips">#analysis-tips</a>)</td><td></td></tr><tr><td>EventData/<code>NewProcessID</code></td><td>The process ID of the newly spawned process</td><td><a data-mention href="/pages/qnouj5GLuiwXN3ZPDBUb">/pages/qnouj5GLuiwXN3ZPDBUb</a></td></tr><tr><td>EventData/<code>ProcessID</code></td><td>The process ID of the parent process</td><td><a data-mention href="/pages/qnouj5GLuiwXN3ZPDBUb">/pages/qnouj5GLuiwXN3ZPDBUb</a></td></tr></tbody></table>

## Analysis Tips

{% hint style="success" %}

#### TokenElevationType and UAC

The `EventData\TokenElevationType` field relates to UAC. The following interpretations are made possible by this field:

* `%%1936` indicates that UAC is disabled on the system, or that the local administrator account launched the process.
* `%%1937` indicates that the user manually ran the process as an administrator, or that the program requested administrative privileges upon execution.
* `%%1938` indicates that the process did not run with administrator privileges.
  {% endhint %}

{% hint style="warning" %}
In the event that UAC was used to elevate permissions in order to execute an application, this information will be stored in the `Target` fields instead.
{% endhint %}

{% hint style="success" %}

#### Command Line Options

In the event that Process Tracking is enabled (defaults to disabled), the full command line will be available in the `Process Command Line` field.

In order for this to be available, the system's policy must be enabled under `Computer Configuration/Administrative Templates/System/Audit Process Creation/Include command line in process creation events`.
{% endhint %}

{% hint style="success" %}

#### Process Tree

The `ProcessID` and New`ProcessID` fields may be used to create a timeline of processes.
{% endhint %}

## Examples

In the following example, `notepad.exe` was launched by a user through Explorer.

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4688</EventID> 
  <Version>2</Version> 
  <Level>0</Level> 
  <Task>13312</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2023-06-25T19:46:45.3571632Z" /> 
  <EventRecordID>16044222</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="7776" /> 
  <Channel>Security</Channel> 
  <Computer>HLPC01</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-3471133136-2963561160-3931775028-1001</Data> 
  <Data Name="SubjectUserName">john.doe</Data> 
  <Data Name="SubjectDomainName">HLPC01</Data> 
  <Data Name="SubjectLogonId">0xd91ae</Data> 
  <Data Name="NewProcessId">0x5194</Data> 
  <Data Name="NewProcessName">C:\Windows\System32\notepad.exe</Data> 
  <Data Name="TokenElevationType">%%1938</Data> 
  <Data Name="ProcessId">0x25d0</Data> 
  <Data Name="CommandLine">"C:\Windows\system32\notepad.exe"</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">-</Data> 
  <Data Name="TargetDomainName">-</Data> 
  <Data Name="TargetLogonId">0x0</Data> 
  <Data Name="ParentProcessName">C:\Windows\explorer.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-8192</Data> 
  </EventData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044

In the following example, `regedit.exe` was launched by a user through the command line. Note the `TokenElevationType` has a value of `%%1937`, indicating they were likely prompted for administrative credentials/permissions. This also causes the user information to be stored in the `Target` fields, as opposed to the `Subject` fields as seen in the previous example.

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4688</EventID> 
  <Version>2</Version> 
  <Level>0</Level> 
  <Task>13312</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2023-06-25T19:48:53.8848049Z" /> 
  <EventRecordID>16044760</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="4" ThreadID="9852" /> 
  <Channel>Security</Channel> 
  <Computer>HLPC01</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">HLPC01$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="NewProcessId">0x4c7c</Data> 
  <Data Name="NewProcessName">C:\Windows\regedit.exe</Data> 
  <Data Name="TokenElevationType">%%1937</Data> 
  <Data Name="ProcessId">0x4e24</Data> 
  <Data Name="CommandLine">"C:\Windows\regedit.exe"</Data> 
  <Data Name="TargetUserSid">S-1-5-21-3471133136-2963561160-3931775028-1001</Data> 
  <Data Name="TargetUserName">john.doe</Data> 
  <Data Name="TargetDomainName">HLPC01</Data> 
  <Data Name="TargetLogonId">0xd9173</Data> 
  <Data Name="ParentProcessName">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="MandatoryLabel">S-1-16-12288</Data> 
  </EventData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.