LogsDBLogsDB
Windows logo

Windows Event ID 4688 - Process Creation

Records the creation of every new process, including executable path, command line arguments (when enabled), parent process, and security context. Critical for detecting malware execution, suspicious commands, and living-off-the-land attacks

View SamplesEdit

Quick Facts

Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)
Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (recommend 1GB+ for process auditing)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/29/2026 10:30:45 AM
Event ID:      4688
Task Category: Process Creation
Keywords:      Audit Success
Computer:      WORKSTATION01.corp.local
Description:
A new process has been created.

Creator Subject:
    Account Name:       jsmith
    Account Domain:     CORP
    Logon ID:           0x12345678

Process Information:
    New Process ID:         0x1234
    New Process Name:       C:\Windows\System32\cmd.exe
    Creator Process ID:     0x5678
    Creator Process Name:   C:\Windows\explorer.exe
    Process Command Line:   cmd.exe /c whoami /all

Structure:

XML-based binary format

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/29/2026 10:30:45 AM
Event ID:      4688
Task Category: Process Creation
Keywords:      Audit Success
Computer:      WORKSTATION01.corp.local
Description:
A new process has been created.

Creator Subject:
    Account Name:       jsmith
    Account Domain:     CORP
    Logon ID:           0x12345678

Process Information:
    New Process ID:         0x1234
    New Process Name:       C:\Windows\System32\cmd.exe
    Creator Process ID:     0x5678
    Creator Process Name:   C:\Windows\explorer.exe
    Process Command Line:   cmd.exe /c whoami /all

Structure:

XML-based binary format

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing"/>
    <EventID>4688</EventID>
    <Computer>WORKSTATION01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="SubjectUserName">jsmith</Data>
    <Data Name="NewProcessName">C:\Windows\System32\cmd.exe</Data>
    <Data Name="CommandLine">cmd.exe /c whoami /all</Data>
    <Data Name="ParentProcessName">C:\Windows\explorer.exe</Data>
  </EventData>
</Event>

Structure:

Native XML representation

Fields Reference

FieldTypeDescriptionExample
EventID
integer
Event identifier (always 4688)4688
TimeCreated
datetime
Timestamp when process was created2026-01-29T10:30:45.123Z
Computer
string
Computer where process was createdWORKSTATION01.corp.local
SubjectUserName
string
Account that created the processjsmith
SubjectDomainName
string
Domain of the creator accountCORP
NewProcessId
string
Process ID of new process (hex)0x1234
NewProcessName
string
Full path of the executableC:\Windows\System32\cmd.exe
CommandLine
string
Full command line (requires GPO to enable)cmd.exe /c whoami /all
ProcessId
string
Parent process ID (hex)0x5678
ParentProcessName
string
Full path of parent processC:\Windows\explorer.exe
TokenElevationType
string
Token elevation type%%1936

Parsing Patterns

Grok Patterns

xml:

<Data Name="NewProcessName">%{DATA:process_name}</Data>.*<Data Name="CommandLine">%{DATA:command_line}</Data>

Regular Expressions

xml:

NewProcessName">(?P<process_name>[^<]+)</Data>.*CommandLine">(?P<command_line>[^<]*)</Data>

Collector Configurations

splunkyaml
1# Suspicious processes (LOLBins)
2index=wineventlog EventCode=4688
3    (NewProcessName="*\\powershell.exe" OR NewProcessName="*\\cmd.exe" OR
4     NewProcessName="*\\mshta.exe" OR NewProcessName="*\\certutil.exe")
5| table _time, Computer, SubjectUserName, NewProcessName, CommandLine, ParentProcessName
6
7# Encoded PowerShell commands
8index=wineventlog EventCode=4688 NewProcessName="*\\powershell.exe"
9    (CommandLine="*-enc*" OR CommandLine="*-EncodedCommand*")
10| table _time, Computer, SubjectUserName, CommandLine
11
12# Office spawning command shells
13index=wineventlog EventCode=4688
14    ParentProcessName IN ("*\\WINWORD.EXE", "*\\EXCEL.EXE")
15    NewProcessName IN ("*\\cmd.exe", "*\\powershell.exe")
16| table _time, Computer, ParentProcessName, NewProcessName, CommandLine

Configuration

Enable Logging

Enable process creation auditing and command line logging

# Enable Process Creation auditing
auditpol /set /subcategory:"Process Creation" /success:enable

# CRITICAL: Enable command line logging
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Command line logging is disabled by default but essential

Log To Syslog

Forward via WEF (high volume)

# Consider filtering noisy processes like conhost.exe

Use Cases

Process inventory

Track applications run across environment

NewProcessName
SubjectUserName
Computer

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022
admin - 2026-01-29
Last updated: 2026-01-29 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue