Event Details
User Activity->Programs Execution->Windows 2008->EventID 4688 - A new process has been created.
EventID 4688 - A new process has been created.
 Sample: 
A new process has been created.

Creator Subject:
	Security ID:		ITSS\intrust.service
	Account Name:		intrust.service
	Account Domain:		ITSS
	Logon ID:		0x3764a

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x21d0
	New Process Name:	C:\Windows\System32\conhost.exe
	Token Elevation Type:	TokenElevationTypeDefault (1)

	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x25b4
	Creator Process Name:	C:\Program Files (x86)\Quest\InTrust\Server\InTrust\IndexRemoteLauncher.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
===========================
Description template stored in adtschema.dll:
===========================
A new process has been created.

Creator Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Target Subject:
	Security ID:		%10
	Account Name:		%11
	Account Domain:		%12
	Logon ID:		%13

Process Information:
	New Process ID:		%5
	New Process Name:	%6!S!
	Token Elevation Type:	%7
	Mandatory Label:		%15
	Creator Process ID:	%8
	Creator Process Name:	%14!S!
	Process Command Line:	%9!S!

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Detailed Tracking
Source Microsoft-Windows-Security-Auditing
TaskCategory Process Creation
EventId 4688
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Creator Subject: Account Name Administrator
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Process Created" Process Created
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Creator Subject: Account Domain LOGISTICS
WhereDomain -
Program Name The name of the executed program/process. Process Information: New Process Name C:\Windows\System32\shutdown.exe
Security ID Creator Subject: Security ID ITSS\intrust.service
Account Name InsertionString2 intrust.service
Account Domain InsertionString3 ITSS
Target Account Name Target Subject: Account Name -
Target Account Domain Target Subject: Account Domain -
Process Name InsertionString6 C:\Windows\System32\conhost.exe
Parent Process Name Process Information: Creator Process Name C:\Program Files (x86)\Quest\InTrust\Server\InTrust\IndexRemoteLauncher.exe
Command Process Information: Process Command Line
Comments
You must be logged in to comment