search

EventID 4688: A new process has been created

This event, logged to the Security channel, indicates a process was created on the system.

circle-exclamation

This event requires the Audit Process Creation policy to be configured, which is by default not configured.

hashtag
Analysis Value

Logon IDchevron-rightSecurity Identifierchevron-rightCommand Line Optionschevron-rightExecution Accountchevron-rightParent and Child Informationchevron-rightEvidence of Executionchevron-rightExecution Timestampchevron-right

hashtag
Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

โš ๏ธ

Server 2019

โš ๏ธ

Windows 10

โš ๏ธ

Server 2016

โš ๏ธ

Windows 8

โš ๏ธ

Server 2012

โš ๏ธ

Windows 7

โš ๏ธ

Server 2008

โš ๏ธ

Windows Vista

โš ๏ธ

Server 2003

โš ๏ธ

Windows XP

โš ๏ธ

circle-exclamation

In Windows XP/Windows Server 2003, the corresponding Event ID is 592.

circle-exclamation

For the events to contain the full command line for each logged process, an additional policy called Include command line in process creation events must also be configured.

hashtag
Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Security.evtx

hashtag
Artifact Interpretation

Field
Interpretation
Reference

EventData/SubjectLogonId

Provides the LogonID of the account that spawned the new process

Logon ID

EventData/NewProcessName

Provides the full path of the application that was spawned

File Path

EventData/CommandLine

The command line that spawned the new process

Command Line Options

EventData/SubjectUserSid

The SID of the account that spawned the process

Security Identifier

EventData/SubjectUserName

The username of the account that spawned the new process

Username

EventData/SubjectDomainName

The domain name of the account that spawned the new process, if it exists. If the user is not a domain user, this field will be -

EventData/TokenElevationType

The token elevation type, related to UAC (see Analysis Tips)

EventData/NewProcessID

The process ID of the newly spawned process

Parent and Child Information

EventData/ProcessID

The process ID of the parent process

Parent and Child Information

hashtag
Analysis Tips

circle-check

hashtag
TokenElevationType and UAC

The EventData\TokenElevationType field relates to UAC. The following interpretations are made possible by this field:

  • %%1936 indicates that UAC is disabled on the system, or that the local administrator account launched the process.

  • %%1937 indicates that the user manually ran the process as an administrator, or that the program requested administrative privileges upon execution.

  • %%1938 indicates that the process did not run with administrator privileges.

circle-exclamation

In the event that UAC was used to elevate permissions in order to execute an application, this information will be stored in the Target fields instead.

circle-check

hashtag
Command Line Options

In the event that Process Tracking is enabled (defaults to disabled), the full command line will be available in the Process Command Line field.

In order for this to be available, the system's policy must be enabled under Computer Configuration/Administrative Templates/System/Audit Process Creation/Include command line in process creation events.

circle-check

hashtag
Process Tree

The ProcessID and NewProcessID fields may be used to create a timeline of processes.

hashtag
Examples

In the following example, notepad.exe was launched by a user through Explorer.

This example was produced on Windows 10, Version 10.0.19044 Build 19044

In the following example, regedit.exe was launched by a user through the command line. Note the TokenElevationType has a value of %%1937, indicating they were likely prompted for administrative credentials/permissions. This also causes the user information to be stored in the Target fields, as opposed to the Subject fields as seen in the previous example.

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated