Windows Security Log Event ID 4689
Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Process Tracking
 • Process Termination
Type Success
Corresponding events
in Windows 2003
and before
593  
Discussions on Event ID 4689
Ask a question about this event

4689: A process has exited

On this page

Event 4689 documents when a process ends. 

When you start a program you are creating a "process" that stays open until the program exits.  This process is identified by the Process ID:. 

You can use this event to tell how long the program ran by correlating it to the earlier 4688 with the same Process ID.

Subject:

The user and logon session that the program ran under. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Process Information:

  • Process ID: is a semi-unique (unique between reboots) number that identifies the process.  Process ID allows you to correlate other events logged during the same process.  To determine when the program started look for a previous event 4688 with the same Process ID.
  • Process Name: The full path of the executable
  • Exit Status: the exit code of the process - normally 0.

 

Top 10 Windows Security Events to Monitor

A process has exited.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Process Information:

   Process ID: 0xed0
   Process Name: C:\Windows\System32\notepad.exe
   Exit Status: 0x0

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this