#process-monitoring

Windows Event ID 6280 – Microsoft-Windows-Kernel-Process: Process Creation Notification

Event ID 6280 records process creation events in the Microsoft-Windows-Kernel-Process ETW provider, capturing detailed process startup information for security monitoring and system analysis.

Windows Event ID 4696 – Microsoft-Windows-Security-Auditing: Primary Token Assigned to Process

Event ID 4696 records when Windows assigns a primary token to a new process during creation, providing detailed security context for process auditing and forensic analysis.

Windows Event ID 4689 – Security: Process Termination Auditing

Event ID 4689 records when a process terminates on Windows systems with process auditing enabled. This security event provides detailed information about process lifecycle management and is essential for forensic analysis and security monitoring.

Windows Event ID 4688 – Microsoft-Windows-Security-Auditing: Process Creation Audit Event

Event ID 4688 logs every new process creation on Windows systems when process auditing is enabled. Critical for security monitoring, forensics, and detecting unauthorized program execution.

Windows Event ID 76 – Application Popup: System Process Terminated Unexpectedly

Event ID 76 indicates a critical system process has terminated unexpectedly, triggering Windows to display an application error popup and potentially initiate system recovery procedures.