ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Security analyst monitoring Windows Event ID 4688 process creation events on multiple screens in a SOC environment
Event ID 4688InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4688 – Microsoft-Windows-Security-Auditing: Process Creation Audit Event

Event ID 4688 logs every new process creation on Windows systems when process auditing is enabled. Critical for security monitoring, forensics, and detecting unauthorized program execution.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4688Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4688 represents one of the most important security audit events in Windows logging. Generated by the Microsoft-Windows-Security-Auditing provider, this event creates a comprehensive record each time a process is created on the system. The event captures critical forensic information including the full path to the executable, command line parameters, the user context under which the process runs, and the parent process that spawned it.

The event structure includes several key fields: Subject (the user account that created the process), Process Information (details about the new process including its ID and name), and Token Elevation Type (indicating whether the process runs with elevated privileges). Modern Windows versions also include the Process Command Line field when configured, providing complete visibility into how programs are invoked.

From a security perspective, Event ID 4688 enables detection of various attack techniques including lateral movement, privilege escalation, and malware execution. Security analysts use these events to build behavioral baselines, identify anomalous process creation patterns, and trace attack chains during incident response. The event also supports compliance frameworks that require detailed audit trails of system activity.

The volume of 4688 events can be substantial on active systems, with hundreds or thousands of events generated daily. This necessitates proper log forwarding, centralized collection, and retention policies. Many organizations filter these events to focus on specific processes or user accounts to reduce noise while maintaining security visibility.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User launching applications through the Start menu, desktop shortcuts, or command line
  • System services starting automatically during boot or on-demand
  • Scheduled tasks executing programs at predetermined times
  • Windows Update or software installers creating temporary processes
  • Background processes spawned by running applications
  • PowerShell, Command Prompt, or other scripting engines executing commands
  • Malware or unauthorized software attempting to execute
  • Remote administration tools creating processes on behalf of administrators
  • Windows built-in utilities like svchost.exe spawning child processes
Resolution Methods

Troubleshooting Steps

01

Enable Process Creation Auditing

Before Event ID 4688 appears, you must enable process creation auditing through Group Policy:

  1. Open Group Policy Management Console or run gpedit.msc for local policy
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationDetailed Tracking
  3. Double-click Audit Process Creation
  4. Check Configure the following audit events and select Success
  5. To capture command line arguments, also enable: Computer ConfigurationAdministrative TemplatesSystemAudit Process CreationInclude command line in process creation events
  6. Run gpupdate /force to apply the policy immediately

Verify the setting with PowerShell:

auditpol /get /subcategory:"Process Creation"
02

Query and Filter 4688 Events

Use PowerShell to retrieve and analyze Event ID 4688 entries:

# Get recent process creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 50

# Filter by specific process name
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*powershell.exe*"}

# Get events from last 24 hours with details
$StartTime = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime} | Select-Object TimeCreated, Id, @{Name='ProcessName';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*New Process Name:*'}) -replace '.*New Process Name:\s*',''}}

In Event Viewer, navigate to Windows LogsSecurity and filter for Event ID 4688. Create a custom view by right-clicking SecurityFilter Current Log → enter 4688 in Event IDs field.

03

Analyze Process Execution Patterns

Investigate suspicious process creation patterns using advanced PowerShell analysis:

# Find processes launched by specific users
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $subjectUserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $processName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = $subjectUserName
        Process = $processName
    }
} | Where-Object {$_.User -eq 'suspicious_user'}

# Detect unusual process parent-child relationships
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000
$Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $parentProcess = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ParentProcessName'} | Select-Object -ExpandProperty '#text'
    $childProcess = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
    "$parentProcess -> $childProcess"
} | Group-Object | Sort-Object Count -Descending
04

Configure Advanced Filtering and Forwarding

Set up Windows Event Forwarding (WEF) to centralize 4688 events and reduce noise:

  1. Create a custom XML filter to exclude common system processes:
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4688)]] and
      *[EventData[Data[@Name='NewProcessName'] and (not(contains(., 'svchost.exe')) and not(contains(., 'dwm.exe')) and not(contains(., 'csrss.exe')))]]
    </Select>
  </Query>
</QueryList>
  1. Configure Event Forwarding on the collector server:
# Enable WinRM on source computers
winrm quickconfig

# Create subscription on collector
wecutil cs ProcessCreationSubscription.xml

# Check subscription status
wecutil gr ProcessCreationSubscription

Create a registry key to optimize event collection performance:

HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\MaxSize = 1048576000
05

Implement Security Monitoring and Alerting

Create automated monitoring for suspicious process creation patterns:

# PowerShell script for continuous monitoring
$SuspiciousProcesses = @('cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe', 'mshta.exe')
$AlertThreshold = 10

Register-WmiEvent -Query "SELECT * FROM Win32_ProcessStartTrace" -Action {
    $Process = $Event.SourceEventArgs.NewEvent
    if ($SuspiciousProcesses -contains $Process.ProcessName) {
        $Count = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddMinutes(-5)} | 
                 Where-Object {$_.Message -like "*$($Process.ProcessName)*"}).Count
        
        if ($Count -gt $AlertThreshold) {
            Write-EventLog -LogName Application -Source "Security Monitor" -EventId 9999 -EntryType Warning -Message "High volume of $($Process.ProcessName) executions detected: $Count in 5 minutes"
        }
    }
}

# Create scheduled task for regular analysis
$Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\ProcessMonitor.ps1'
$Trigger = New-ScheduledTaskTrigger -Daily -At 9am
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "ProcessCreationMonitor" -Description "Monitor Event ID 4688 for security analysis"
Pro tip: Use Sysmon alongside Event ID 4688 for enhanced process monitoring with additional context like file hashes and network connections.

Overview

Event ID 4688 fires every time a new process starts on a Windows system when process creation auditing is enabled through Group Policy. This security audit event captures detailed information about what programs are being executed, who executed them, and when they ran. The event appears in the Security log and includes the process name, command line arguments, parent process, user account, and process ID.

This event is fundamental for security monitoring, incident response, and compliance requirements. Security teams rely on 4688 events to track program execution, detect malicious activity, and investigate security incidents. The event provides visibility into both legitimate system processes and potentially malicious executables, making it invaluable for endpoint detection and response (EDR) solutions.

By default, Windows systems do not log Event ID 4688 unless specifically configured through audit policies. When enabled, these events can generate significant log volume on busy systems, requiring careful log management and retention planning. The event works in conjunction with Event ID 4689, which logs process termination.

Frequently Asked Questions

What does Event ID 4688 mean and why is it important?+
Event ID 4688 is a security audit event that logs every new process creation on Windows systems when process auditing is enabled. It's crucial for security monitoring because it provides complete visibility into what programs are being executed, who executed them, and when. This event helps detect malicious activity, unauthorized software execution, and supports forensic investigations. Security teams use 4688 events to build behavioral baselines, identify anomalous process patterns, and trace attack chains during incident response.
How do I enable Event ID 4688 logging on my Windows systems?+
Enable Event ID 4688 through Group Policy by navigating to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Detailed Tracking → Audit Process Creation, then select 'Success'. To capture command line arguments, also enable the policy at Computer Configuration → Administrative Templates → System → Audit Process Creation → 'Include command line in process creation events'. Apply changes with 'gpupdate /force'. You can verify the setting using 'auditpol /get /subcategory:"Process Creation"'.
Why am I seeing thousands of Event ID 4688 entries and how can I manage the volume?+
Event ID 4688 generates high volumes because it logs every process creation, including system processes, services, and background tasks. To manage this, implement filtering strategies: exclude common system processes like svchost.exe, dwm.exe, and csrss.exe using custom XML queries in Event Viewer or WEF subscriptions. Focus monitoring on specific users, suspicious process names, or unusual parent-child relationships. Consider using centralized logging solutions with retention policies and automated analysis to handle the volume effectively.
What information is included in Event ID 4688 and how do I interpret it?+
Event ID 4688 includes several key fields: Subject (user account that created the process), Process Information (new process name, ID, and path), Parent Process Name and ID, Token Elevation Type (privilege level), and optionally the Process Command Line. The Subject section shows who initiated the process, Process Information details what was executed, and the parent process indicates what spawned the new process. Command line arguments reveal exactly how the program was invoked, which is critical for detecting malicious usage of legitimate tools.
How can I use Event ID 4688 for security incident investigation?+
Use Event ID 4688 for incident investigation by correlating process creation events with other security logs. Start by identifying the timeline of suspicious activity, then trace process execution chains using parent-child relationships. Look for unusual processes launched by compromised accounts, processes with suspicious command line arguments, or legitimate tools used maliciously (living-off-the-land techniques). Combine 4688 events with Event ID 4689 (process termination) to understand complete process lifecycles. Use PowerShell to filter events by time ranges, users, or process names, and correlate with network logs and file access events for comprehensive analysis.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceOfficial Microsoft documentation covering Event ID 4688 and process creation auditing configurationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation
2
Advanced Security Audit Policy SettingsComprehensive guide to configuring Windows audit policies including detailed tracking settingshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4688#security-auditing#process-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...