Windows Security Log Event ID 4688
Operating Systems Windows Vista
Windows Server 2008
Category
 • Subcategory		Process Tracking
 • Process Creation
Type Success
Corresponding events
in Windows 2003
and before		 592  
Discussions on Event ID 4688
Ask a question about this event

4688: A new process has been created

On this page

Get Adobe Flash player

Event 4688 documents each program that is executed, who the program ran as and the process that started this process.

When you start a program you are creating a "process" that stays open until the program exits.  This process is identified by the Process ID:.  You can correlate this event to other events by Process ID to determine what the program did while it ran and when it exited (event 4689).

Free Security Log Quick Reference Chart

Description Fields in 4688

Subject:

The user and logon session that the program ran under. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Process Information:

  • New Process ID: is a semi-unique (unique between reboots) number that identifies the process.  Process ID allows you to correlate other events logged during the same process.  To determine when the program ended look for a subsequent event 4689 with the same Process ID.
  • New Process Name: The full patch of the executable
  • Token Elevation Type: This is useful for detecting when users running under User Account Control consent to running a program with admin authority - look for Type 2.
  • Creator Process ID:identifies the processes that started this process. Look for a preceding event 4688 with a New Process ID that matches this Creator Process process ID.

Top 10 Windows Security Events to Monitor

Examples of 4688

A new process has been created.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Process Information:

   New Process ID:  0xed0
   New Process Name: C:\Windows\System32\notepad.exe
   Token Elevation Type: TokenElevationTypeDefault (1)
   Creator Process ID: 0x8c0

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this


Training for the Windows Security Log
Get Adobe Flash player


Mini-Seminars Covering Event ID 4688
Discussions on Event ID 4688
Ask a question about this event

 

Upcoming Webinars
Additional Resources