A process has exited
On this page
Event 4689 documents when a process ends.
When you start a program you are creating a "process" that stays open until the program exits. This process is identified by the Process ID:.
You can use this event to tell how long the program ran by correlating it to the earlier 4688 with the same Process ID.
The user and logon session that the program ran under.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- Process ID: is a semi-unique (unique between reboots) number that identifies the process. Process ID allows you to correlate other events logged during the same process. To determine when the program started look for a previous event 4688 with the same Process ID.
- Process Name: The full path of the executable
- Exit Status: the exit code of the process - normally 0.
Top 10 Windows Security Events to Monitor
A process has exited.
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Process ID: 0xed0
Process Name: C:\Windows\System32\notepad.exe
Exit Status: 0x0
Keep me up-to-date on the Windows Security Log.
*We will NOT share this