ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Security log with Event ID 4689 process termination events on a cybersecurity monitoring dashboard
Event ID 4689InformationSecurityWindows

Windows Event ID 4689 – Security: Process Termination Auditing

Event ID 4689 records when a process terminates on Windows systems with process auditing enabled. This security event provides detailed information about process lifecycle management and is essential for forensic analysis and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4689Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4689 is generated by the Windows Security subsystem whenever a monitored process terminates. This event is part of the detailed process tracking audit category and requires explicit configuration through Local Security Policy or Group Policy to become active. The event captures the moment when a process handle is closed and the process is removed from the system's process table.

The event contains several critical fields including the Process ID (PID), Process Name, Token Elevation Type, Process Command Line (if configured), Creator Process ID, and the Security ID of the user account that launched the process. This information proves invaluable for security incident response teams who need to reconstruct the sequence of events during a potential security breach.

Windows generates this event for all process types including system processes, user applications, services, and even short-lived processes like command-line utilities. The event timing is precise, occurring at the exact moment the process handle is destroyed by the Windows kernel. This makes Event ID 4689 extremely reliable for forensic timeline reconstruction and process behavior analysis.

In enterprise environments, this event is often forwarded to Security Information and Event Management (SIEM) systems for centralized monitoring and analysis. The event's structured format makes it ideal for automated parsing and correlation with other security events to identify patterns of malicious activity or unauthorized process execution.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal application termination when a user closes a program or application exits naturally
  • Process termination initiated by Task Manager or taskkill command
  • Service shutdown during system restart or manual service stop operations
  • Automatic process termination due to system resource constraints or memory limits
  • Process crash or abnormal termination due to application errors or system instability
  • Security software terminating suspicious or malicious processes
  • System shutdown or restart causing all running processes to terminate
  • Parent process termination forcing child processes to close
  • Windows Update or software installation requiring process restart
Resolution Methods

Troubleshooting Steps

01

Enable Process Termination Auditing

Before Event ID 4689 can appear, you must enable process termination auditing through Group Policy or Local Security Policy.

  1. Open Local Security Policy by running secpol.msc as administrator
  2. Navigate to Local PoliciesAudit Policy
  3. Double-click Audit process tracking
  4. Check both Success and Failure options
  5. Click OK and restart the system

For advanced auditing on Windows 10/11 and Server 2019+:

  1. Run gpedit.msc as administrator
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Detailed Tracking
  4. Enable Audit Process Termination for Success events
# Enable via PowerShell (requires admin rights)
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
Pro tip: Use advanced audit policies for granular control over which process termination events are logged.
02

Query Event ID 4689 in Event Viewer

Once auditing is enabled, Event ID 4689 events will appear in the Security log. Here's how to locate and analyze them:

  1. Open Event Viewer by running eventvwr.msc
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 4689 in the Event IDs field
  5. Click OK to filter results

Use PowerShell for more advanced querying:

# Get last 50 process termination events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

# Filter by specific process name
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} | Where-Object {$_.Message -like "*notepad.exe*"}

# Export to CSV for analysis
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} -MaxEvents 1000 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path "C:\Temp\ProcessTermination.csv" -NoTypeInformation
Warning: The Security log can grow large quickly with process auditing enabled. Monitor disk space and configure log rotation policies.
03

Analyze Process Termination Patterns

Use PowerShell to identify unusual process termination patterns that might indicate security issues:

# Group termination events by process name to identify frequently terminating processes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} -MaxEvents 5000 | ForEach-Object {
    if ($_.Message -match 'Process Name:\s+(.+?)\r?\n') {
        $matches[1]
    }
} | Group-Object | Sort-Object Count -Descending | Select-Object Name, Count

# Find processes terminated within a specific time window
$StartTime = (Get-Date).AddHours(-24)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Message -Wrap

# Identify processes terminated by specific users
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} | Where-Object {$_.Message -like "*DOMAIN\username*"}

Create a custom PowerShell function for detailed analysis:

function Get-ProcessTerminationDetails {
    param(
        [int]$MaxEvents = 100,
        [string]$ProcessName = "*"
    )
    
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} -MaxEvents $MaxEvents | ForEach-Object {
        $Message = $_.Message
        $ProcessNameMatch = if ($Message -match 'Process Name:\s+(.+?)\r?\n') { $matches[1] } else { "Unknown" }
        $ProcessIdMatch = if ($Message -match 'Process ID:\s+(0x[0-9a-fA-F]+)') { $matches[1] } else { "Unknown" }
        
        if ($ProcessNameMatch -like $ProcessName) {
            [PSCustomObject]@{
                TimeCreated = $_.TimeCreated
                ProcessName = $ProcessNameMatch
                ProcessId = $ProcessIdMatch
                User = if ($Message -match 'Subject:\s+Security ID:\s+(.+?)\r?\n') { $matches[1] } else { "Unknown" }
            }
        }
    }
}
04

Configure Advanced Process Monitoring

For comprehensive process lifecycle monitoring, configure additional audit settings and correlation with Event ID 4688:

  1. Enable command line auditing to capture full process execution details:
# Enable command line process auditing via registry
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -Type DWord

# Or via Group Policy: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events
  1. Create a PowerShell script to correlate process creation (4688) with termination (4689):
function Get-ProcessLifecycle {
    param([string]$ProcessName)
    
    # Get process creation events
    $CreationEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000 | Where-Object {$_.Message -like "*$ProcessName*"}
    
    # Get process termination events
    $TerminationEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689} -MaxEvents 1000 | Where-Object {$_.Message -like "*$ProcessName*"}
    
    # Correlate by Process ID and time
    foreach ($creation in $CreationEvents) {
        $creationPid = if ($creation.Message -match 'New Process ID:\s+(0x[0-9a-fA-F]+)') { $matches[1] }
        $termination = $TerminationEvents | Where-Object {
            $_.Message -match "Process ID:\s+$creationPid" -and $_.TimeCreated -gt $creation.TimeCreated
        } | Select-Object -First 1
        
        if ($termination) {
            $duration = $termination.TimeCreated - $creation.TimeCreated
            [PSCustomObject]@{
                ProcessName = $ProcessName
                ProcessId = $creationPid
                StartTime = $creation.TimeCreated
                EndTime = $termination.TimeCreated
                Duration = $duration.ToString()
            }
        }
    }
}
Pro tip: Use Windows Performance Toolkit (WPT) alongside Event ID 4689 for comprehensive process behavior analysis in enterprise environments.
05

Implement Automated Monitoring and Alerting

Set up automated monitoring for suspicious process termination patterns using PowerShell and Task Scheduler:

  1. Create a monitoring script that checks for unusual termination patterns:
# ProcessTerminationMonitor.ps1
param(
    [int]$ThresholdCount = 10,
    [int]$TimeWindowMinutes = 60
)

$StartTime = (Get-Date).AddMinutes(-$TimeWindowMinutes)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4689; StartTime=$StartTime}

# Check for processes terminating too frequently
$ProcessCounts = $Events | ForEach-Object {
    if ($_.Message -match 'Process Name:\s+(.+?)\r?\n') {
        $matches[1]
    }
} | Group-Object | Where-Object {$_.Count -gt $ThresholdCount}

if ($ProcessCounts) {
    $AlertMessage = "High process termination rate detected:`n"
    $ProcessCounts | ForEach-Object {
        $AlertMessage += "$($_.Name): $($_.Count) terminations`n"
    }
    
    # Send alert (customize as needed)
    Write-EventLog -LogName Application -Source "ProcessMonitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
    
    # Optional: Send email alert
    # Send-MailMessage -To "admin@company.com" -From "monitor@company.com" -Subject "Process Termination Alert" -Body $AlertMessage -SmtpServer "mail.company.com"
}
  1. Create a scheduled task to run the monitoring script:
# Create scheduled task for process monitoring
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\ProcessTerminationMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

Register-ScheduledTask -TaskName "ProcessTerminationMonitor" -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal
  1. Configure Windows Event Forwarding for centralized monitoring:
# Configure WinRM for event forwarding
winrm quickconfig -q
wecutil qc /q

# Create custom event forwarding subscription
$SubscriptionXML = @"

    ProcessTermination
    SourceInitiated
    Forward Process Termination Events
    true
    http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog
    Normal
    
            
                
            
        
    ]]>

"@

$SubscriptionXML | Out-File -FilePath "C:\Temp\ProcessTermination.xml"
wecutil cs "C:\Temp\ProcessTermination.xml"
Warning: High-frequency process termination monitoring can generate significant log volume. Implement log rotation and archival strategies to prevent disk space issues.

Overview

Event ID 4689 fires whenever a process terminates on a Windows system that has process and process termination auditing enabled through Group Policy. This event is part of the Windows Security Auditing framework and appears in the Security log, not the System or Application logs. The event captures critical details about the terminated process including its name, process ID, logon ID, and the user account under which it was running.

This event is particularly valuable for security professionals conducting forensic investigations, monitoring suspicious process behavior, or tracking application lifecycle management. Unlike Event ID 4688 which logs process creation, Event ID 4689 specifically focuses on process termination events. The event requires specific audit policies to be configured and will not appear by default on most Windows installations.

System administrators often use this event in conjunction with Event ID 4688 to build comprehensive process execution timelines. The event provides essential data for understanding when processes end, whether they terminated normally or abnormally, and which user context was responsible for the process execution.

Frequently Asked Questions

What does Event ID 4689 mean and when does it appear?+
Event ID 4689 indicates that a process has terminated on a Windows system with process auditing enabled. This event appears in the Security log whenever any monitored process ends, whether through normal termination, user action, system shutdown, or process crash. The event requires specific audit policies to be configured through Group Policy or Local Security Policy before it will appear. It provides detailed information about the terminated process including its name, process ID, user context, and termination time, making it valuable for security monitoring and forensic analysis.
Why am I not seeing Event ID 4689 in my Event Viewer?+
Event ID 4689 will not appear by default because process termination auditing is disabled on most Windows installations. You must explicitly enable it through Local Security Policy (secpol.msc) by configuring 'Audit process tracking' or through Group Policy using 'Audit Process Termination' under Advanced Audit Policy Configuration. After enabling the policy, you need to restart the system or run 'gpupdate /force' for the changes to take effect. Additionally, ensure you're looking in the Security log, not the System or Application logs, as this is where security audit events are recorded.
How can I correlate Event ID 4689 with process creation events?+
Event ID 4689 (process termination) should be correlated with Event ID 4688 (process creation) to build complete process lifecycle timelines. Both events share common fields like Process ID, Process Name, and user context that can be used for correlation. Use PowerShell to match processes by their Process ID and ensure the termination event occurs after the creation event. The Process ID is typically displayed in hexadecimal format (0x1234) in both events. This correlation is essential for understanding process behavior, identifying suspicious activity, and conducting forensic investigations where you need to track the complete lifecycle of specific processes.
What information does Event ID 4689 provide about terminated processes?+
Event ID 4689 provides comprehensive details about terminated processes including the Process Name (full path to executable), Process ID in hexadecimal format, Token Elevation Type (indicating privilege level), Subject Security ID (user account that launched the process), Logon ID for session correlation, and precise termination timestamp. If command line auditing is enabled, it may also include the command line arguments used to launch the process. This information is structured in a consistent format that makes it ideal for automated parsing and analysis by security tools, SIEM systems, and PowerShell scripts for security monitoring and incident response.
Can Event ID 4689 help detect malicious process activity?+
Yes, Event ID 4689 is valuable for detecting malicious process activity when used as part of a comprehensive security monitoring strategy. Unusual patterns like frequent termination of security tools, processes terminating immediately after creation, or processes being terminated by unexpected user accounts can indicate malicious activity. Correlating termination events with creation events (4688) helps identify short-lived malicious processes, process injection attempts, or security tool evasion techniques. However, this event should be analyzed alongside other security events, network logs, and file system activity for effective threat detection. Automated monitoring scripts can alert on suspicious termination patterns that warrant further investigation.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including process tracking configuration and event interpretation.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsDetailed documentation on configuring advanced audit policies for detailed process tracking and security monitoring.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4689#security-auditing#process-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...