Windows Security Log Event ID 4688

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Process Tracking
 • Process Creation
Type Success
Corresponding events
in Windows 2003
and before
592  

4688: A new process has been created

On this page

Event 4688 documents each program that is executed, who the program ran as and the process that started this process.

When you start a program you are creating a "process" that stays open until the program exits.  This process is identified by the Process ID:.  You can correlate this event to other events by Process ID to determine what the program did while it ran and when it exited (event 4689).

Win2012R2 adds Process Command Line.

Free Security Log Resources by Randy

Description Fields in 4688

Creator Subject:

The user and logon session that started the program. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID: A semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Target Subject: 

Added in Win2016/10.  These fields only apply when the process is started under a different user account.  By default, a new process runs under the same account and logon session as the creator process.  One of the examples below shows the SYSTEM account starting RuntimeBroker.exe as a different user.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID: A semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 

Process Information:

  • New Process ID: A semi-unique (unique between reboots) number that identifies the process.  Process ID allows you to correlate other events logged during the same process.  To determine when the program ended look for a subsequent event 4689 with the same Process ID.
  • New Process Name: The full path of the executable
  • Token Elevation Type: This is useful for detecting when users running under User Account Control consent to running a program with admin authority - look for Type 2.
  • Token Elevation Type: Token elevation is about User Account Control
    • %%1936  - Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
    • %%1937 - Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
    • %%1938 - Type 3 is the normal value when UAC is enabled and a user simply starts a program from the Start Menu.  It's a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
  • Mandatory Label: (new to Win10) In addition to each objects Discretionary Access Control List (permissions on a file) Windows also enforces Mandatory Integrity Control (MIC) over object access attempts which compares the object's integrity label to the the integrity level on the process trying to access the object.  This field documents the integrity of the process which is determined from the user integrity level and the file integrity level of the EXE.  Learn more about MIC at https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx.  The actual values observed so far include
    • Mandatory Label\Low Mandatory Level
    • Mandatory Label\Medium Mandatory Level
    • Mandatory Label\System Mandatory Level
SID RID RID label Meaning
S-1-16-0 0x00000000 SECURITY_MANDATORY_UNTRUSTED_RID Untrusted.
S-1-16-4096 0x00001000 SECURITY_MANDATORY_LOW_RID Low integrity.
S-1-16-8192 0x00002000 SECURITY_MANDATORY_MEDIUM_RID Medium integrity.
S-1-16-8448 0x00002100 SECURITY_MANDATORY_MEDIUM_PLUS_RID Medium high integrity.
S-1-16-12288 0X00003000 SECURITY_MANDATORY_HIGH_RID High integrity.
S-1-16-16384 0x00004000 SECURITY_MANDATORY_SYSTEM_RID System integrity.
S-1-16-20480 0x00005000 SECURITY_MANDATORY_PROTECTED_PROCESS_RID Protected process.
  • Creator Process ID: Identifies the processes that started this process. Look for a preceding event 4688 with a New Process ID that matches this Creator Process process ID - or if on Win10 or later look at the next field to get EXE name of the parent process.
  • Creator Process Name: (new to Win10) This useful field documents the name of the program that started this new process.
  • Process Command Line: (new to Win2012R2) If enabled this field documents the command line arguments (including any passwords) passed into the EXE when the process was started. See  “Administrative Templates\System\Audit Process Creation\Include command line in process creation events” in group policy.

 

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4688

Windows 2016/10

A new process has been created.

Creator Subject:
 Security ID:  SYSTEM
 Account Name:  RFSH$
 Account Domain:  LAB
 Logon ID:  0x3E7

Target Subject:
 Security ID:  LAB\rsmith
 Account Name:  rsmith
 Account Domain:  LAB
 Logon ID:  0x2C9D82

Process Information:
 New Process ID:  0x2e0e4
 New Process Name: C:\Windows\System32\RuntimeBroker.exe
 Token Elevation Type: %%1938
 Mandatory Label:  Mandatory Label\Medium Mandatory Level
 Creator Process ID: 0x268
 Creator Process Name: C:\Windows\System32\svchost.exe
 Process Command Line: 

Pre-Windows 2016/10

A new process has been created.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Process Information:

   New Process ID:  0xed0
   New Process Name: C:\Windows\System32\notepad.exe
   Token Elevation Type: TokenElevationTypeDefault (1)
   Mandatory Label: Mandatory Label\Medium Mandatory Level
   Creator Process ID: 0x8c0
   Creator Process Name: c:\windows\system32\explorer.exe
   Process Command Line: C:\Windows\System32\notepad.exe c:\sys\junk.txt

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Download Supercharger Free

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources