ANAVEM
EnglishFrancais
ANAVEM
Languagefr
System administrator monitoring Windows kernel process events on multiple screens in an IT operations center
Event ID 6280InformationMicrosoft-Windows-Kernel-ProcessWindows

Windows Event ID 6280 – Microsoft-Windows-Kernel-Process: Process Creation Notification

Event ID 6280 records process creation events in the Microsoft-Windows-Kernel-Process ETW provider, capturing detailed process startup information for security monitoring and system analysis.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 6280Microsoft-Windows-Kernel-Process 5 methods 9 min
Event Reference

What This Event Means

Event ID 6280 represents a kernel-level process creation notification generated by the Windows kernel's process management subsystem. When any executable launches on the system, the kernel immediately logs this event to the Microsoft-Windows-Kernel-Process ETW provider before the process fully initializes. This timing ensures that even short-lived processes or those that crash during startup are captured in the event log.

The event contains critical forensic data including the process ID (PID), parent process ID (PPID), executable path, command line arguments, and the security identifier (SID) of the user context under which the process executes. Additionally, it records process creation time with high precision, making it invaluable for timeline analysis during incident response.

Unlike Security Event ID 4688, which depends on audit policy configuration and can be disabled by administrators, Event ID 6280 operates at the kernel level and provides consistent process tracking regardless of audit settings. However, the Microsoft-Windows-Kernel-Process/Analytic log where this event appears is disabled by default and must be explicitly enabled for event collection.

Security teams often enable this logging channel as a backup process monitoring mechanism or when investigating sophisticated threats that attempt to disable traditional audit logging. The event's kernel-level generation makes it more difficult for malware to suppress compared to user-mode audit events.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Normal process creation when any executable file launches on the system
  • Service startup during system boot or manual service initiation
  • Scheduled task execution triggering new process instances
  • User application launches from desktop, Start menu, or command line
  • Child process creation from parent processes (spawning)
  • System process initialization during Windows startup sequence
  • PowerShell script execution creating new process contexts
  • Malware execution attempting to run unauthorized processes
  • Administrative tools launching elevated processes
  • Background application updates creating installer processes
Resolution Methods

Troubleshooting Steps

01

Enable and View Kernel Process Events

First, enable the Microsoft-Windows-Kernel-Process/Analytic log to start collecting Event ID 6280:

# Enable the Kernel Process Analytic log
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /e:true

# Verify the log is enabled
wevtutil gl Microsoft-Windows-Kernel-Process/Analytic

Navigate to Event Viewer to view the events:

Event ViewerApplications and Services LogsMicrosoftWindowsKernel-ProcessAnalytic

Query recent Event ID 6280 entries using PowerShell:

# Get last 50 process creation events
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-Process/Analytic'; Id=6280} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: The Analytic log can generate high volumes of events. Consider filtering by time range or specific processes to avoid performance impact.
02

Filter Process Events by Executable Path

Create targeted queries to monitor specific executables or suspicious process patterns:

# Monitor specific executable launches
$FilterXML = @"

  
    
  

"@

Get-WinEvent -FilterXml $FilterXML -MaxEvents 25

Monitor processes launched from suspicious directories:

# Check for processes from temp directories
$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-Process/Analytic'; Id=6280} -MaxEvents 100
$Events | Where-Object {$_.Message -match "\\temp\\|\\appdata\\local\\temp\\"} | Select-Object TimeCreated, Message

Export filtered results for analysis:

# Export suspicious process events to CSV
$SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-Process/Analytic'; Id=6280} -MaxEvents 1000 |
  Where-Object {$_.Message -match "powershell|cmd|wscript|cscript"}
$SuspiciousEvents | Export-Csv -Path "C:\temp\process_events.csv" -NoTypeInformation
03

Analyze Parent-Child Process Relationships

Extract and analyze process hierarchy information from Event ID 6280 to identify process spawning patterns:

# Parse process creation events for parent-child relationships
$ProcessEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-Process/Analytic'; Id=6280} -MaxEvents 500

$ProcessData = foreach ($Event in $ProcessEvents) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        ProcessId = ($EventData | Where-Object {$_.Name -eq 'ProcessId'}).InnerText
        ParentProcessId = ($EventData | Where-Object {$_.Name -eq 'ParentProcessId'}).InnerText
        ImageName = ($EventData | Where-Object {$_.Name -eq 'ImageName'}).InnerText
        CommandLine = ($EventData | Where-Object {$_.Name -eq 'CommandLine'}).InnerText
    }
}

# Display process tree
$ProcessData | Sort-Object TimeCreated | Format-Table -AutoSize

Identify processes with unusual parent relationships:

# Find processes spawned by unexpected parents
$UnusualParents = $ProcessData | Where-Object {
    ($_.ImageName -match "powershell.exe" -and $_.ParentProcessId -notmatch "explorer.exe|cmd.exe") -or
    ($_.ImageName -match "cmd.exe" -and $_.ParentProcessId -match "winword.exe|excel.exe|outlook.exe")
}

$UnusualParents | Format-Table TimeCreated, ImageName, ParentProcessId -AutoSize
Warning: High-volume process creation can impact system performance. Use time-based filters when analyzing busy systems.
04

Configure Advanced ETW Logging and Monitoring

Set up comprehensive ETW logging with custom log size and retention policies:

# Configure log size and retention
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /ms:104857600  # 100MB
wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /rt:false      # Disable real-time

# Create scheduled task for log rotation
$Action = New-ScheduledTaskAction -Execute "wevtutil" -Argument "cl Microsoft-Windows-Kernel-Process/Analytic"
$Trigger = New-ScheduledTaskTrigger -Daily -At "02:00AM"
$Settings = New-ScheduledTaskSettingsSet -RunOnlyIfNetworkAvailable:$false
Register-ScheduledTask -TaskName "RotateKernelProcessLog" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"

Create custom event forwarding for centralized monitoring:

# Save as ProcessCreation.xml for event forwarding
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ProcessCreationEvents</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward Process Creation Events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Kernel-Process/Analytic">*[System[EventID=6280]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>

Deploy the subscription:

# Create event subscription
wecutil cs ProcessCreation.xml
05

Implement Automated Threat Detection Rules

Create PowerShell-based monitoring script for real-time threat detection:

# Advanced threat detection script
$LogName = 'Microsoft-Windows-Kernel-Process/Analytic'
$EventId = 6280

# Define suspicious patterns
$SuspiciousPatterns = @(
    '.*\\temp\\.*\.exe',
    '.*powershell.*-enc.*',
    '.*cmd.*\/c.*echo.*',
    '.*wscript.*\.vbs',
    '.*regsvr32.*scrobj.dll'
)

# Monitor for new events
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='$LogName' AND EventCode=$EventId" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $Message = $Event.Message
    
    foreach ($Pattern in $SuspiciousPatterns) {
        if ($Message -match $Pattern) {
            Write-Host "[ALERT] Suspicious process detected: $Message" -ForegroundColor Red
            # Add alerting logic here (email, SIEM, etc.)
            break
        }
    }
}

Write-Host "Process monitoring active. Press Ctrl+C to stop."
try { while ($true) { Start-Sleep 1 } }
finally { Get-EventSubscriber | Unregister-Event }

Configure Windows Performance Toolkit (WPT) for advanced analysis:

# Create custom ETW session for detailed process tracking
$SessionName = "ProcessMonitoring"
$ETLFile = "C:\temp\process_trace.etl"

# Start ETW session
logman create trace $SessionName -p Microsoft-Windows-Kernel-Process -o $ETLFile -ets

# Stop session after collection period
# logman stop $SessionName -ets
Pro tip: Combine Event ID 6280 monitoring with Sysmon Event ID 1 for comprehensive process tracking across different logging mechanisms.

Overview

Event ID 6280 fires whenever a new process starts on a Windows system, generated by the Microsoft-Windows-Kernel-Process ETW (Event Tracing for Windows) provider. This event captures comprehensive process creation details including parent process information, command line arguments, and security context. Unlike the more commonly referenced Event ID 4688 from the Security log, Event ID 6280 provides kernel-level process tracking that operates independently of audit policy settings.

This event appears in the Microsoft-Windows-Kernel-Process/Analytic log, which requires manual enablement through Event Viewer or PowerShell commands. System administrators leverage Event ID 6280 for advanced process monitoring, malware detection, and forensic analysis when traditional Security log auditing is insufficient or disabled.

The event becomes particularly valuable in environments where comprehensive process tracking is required but Security audit policies cannot be modified due to performance concerns or organizational restrictions. Event ID 6280 provides similar process creation visibility with minimal system overhead compared to traditional audit logging.

Frequently Asked Questions

What is the difference between Event ID 6280 and Security Event ID 4688?+
Event ID 6280 is generated by the kernel-level Microsoft-Windows-Kernel-Process ETW provider and operates independently of audit policy settings, while Event ID 4688 requires 'Audit Process Creation' to be enabled in Security Policy. Event ID 6280 provides similar process creation information but appears in the Analytic log channel rather than the Security log. The kernel-level generation of 6280 makes it more reliable for forensic analysis since it cannot be easily disabled by malware that might attempt to modify audit policies.
Why don't I see Event ID 6280 in my Event Viewer by default?+
The Microsoft-Windows-Kernel-Process/Analytic log is disabled by default to prevent performance impact from high-volume process creation events. You must manually enable it using 'wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /e:true' or through Event Viewer by right-clicking the Analytic log under Microsoft-Windows-Kernel-Process and selecting 'Enable Log'. Once enabled, the system will start collecting Event ID 6280 entries for all new process creations.
How can I prevent Event ID 6280 logs from consuming too much disk space?+
Configure log size limits and retention policies using wevtutil commands. Set maximum log size with 'wevtutil sl Microsoft-Windows-Kernel-Process/Analytic /ms:104857600' (100MB example). Enable log overwrite mode with '/rt:false' to prevent real-time consumption. Create scheduled tasks to periodically clear or archive logs using 'wevtutil cl Microsoft-Windows-Kernel-Process/Analytic'. For production environments, consider forwarding events to a centralized logging system and maintaining smaller local log files.
Can Event ID 6280 help detect malware that disables Security audit logging?+
Yes, Event ID 6280 operates at the kernel level independently of Security audit policies, making it valuable for detecting malware that attempts to disable traditional process auditing. Since the event is generated by the kernel's process management subsystem before the process fully initializes, it captures process creation even when Security Event ID 4688 is disabled. However, sophisticated malware could potentially disable the Analytic log itself, so it should be used as part of a layered monitoring approach rather than a single detection mechanism.
What information does Event ID 6280 provide that other process monitoring tools don't?+
Event ID 6280 provides kernel-level process creation timestamps with high precision, complete command line arguments, parent process relationships, and security context information (SID) at the exact moment of process creation. Unlike user-mode monitoring tools, it captures short-lived processes that might terminate before other monitoring mechanisms can detect them. The event also includes process and parent process IDs that enable detailed process tree analysis for forensic investigations. Additionally, it provides this information through the standard Windows Event Log infrastructure, making it compatible with existing log management and SIEM systems.
Documentation

References (2)

1
Microsoft Learn - Event Tracing for Windows (ETW)Comprehensive documentation on ETW providers and event collection mechanisms in Windows.https://learn.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
2
Windows Performance Toolkit DocumentationOfficial guidance on using Windows Performance Toolkit for advanced ETW trace analysis and process monitoring.https://learn.microsoft.com/en-us/windows-hardware/test/wpt/
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-6280#process-monitoring#etw-events

Related Windows Events

Windows security monitoring dashboard showing Event Viewer with process creation audit logs
Event 4111
Microsoft-Windows-Kernel-Process
Windows EventInformation

Windows Event ID 4111 – Microsoft-Windows-Kernel-Process: Process Creation Auditing Event

Event ID 4111 tracks process creation events in Windows when advanced auditing is enabled. This security-focused event provides detailed information about new processes, including parent process details and command line arguments.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...