Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Detailed Tracking->Process Creation->EventID 4688 - A new process has been created.
EventID 4688 - A new process has been created.
Indicates a successful execution of a program by user.

Note:
New Process ID field allows you to correlate this event to events from other categories.
Associated messages have the same Process ID number, e.g. in order to find out what objects and how were accessed by the process you need to look for object access events with the same Process ID field value.
In order to find out when the started process ended look for a subsequent EventID 4689 - A process has exited with the same Process ID.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2000, 2003 Related Events:

To find out when the process ended look for the following event with the same Process ID:
 Sample:
A new process has been created.

Creator Subject:
	Security ID:		ITSS\intrust.service
	Account Name:		intrust.service
	Account Domain:		ITSS
	Logon ID:		0x3764a

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x21d0
	New Process Name:	C:\Windows\System32\conhost.exe
	Token Elevation Type:	TokenElevationTypeDefault (1)

	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x25b4
	Creator Process Name:	C:\Program Files (x86)\Quest\InTrust\Server\InTrust\IndexRemoteLauncher.exe
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
===========================
Description template stored in adtschema.dll:
===========================
A new process has been created.

Creator Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Target Subject:
	Security ID:		%10
	Account Name:		%11
	Account Domain:		%12
	Logon ID:		%13

Process Information:
	New Process ID:		%5
	New Process Name:	%6!S!
	Token Elevation Type:	%7
	Mandatory Label:		%15
	Creator Process ID:	%8
	Creator Process Name:	%14!S!
	Process Command Line:	%9!S!

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Detailed Tracking
Source Microsoft-Windows-Security-Auditing
TaskCategory Process Creation
EventId 4688
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString3 LOGISTICS
Subject: Security ID Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment. InsertionString1 S-1-5-21-1135140816-2109348461-2107143693-500
Subject: Account Name Name of the account that initiated the action. InsertionString2 Administrator
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString4 0x1806d9
Process Information: New Process ID InsertionString5 0x21d0
Process Information: New Process Name InsertionString6 C:\Windows\System32\conhost.exe
Process Information: Token Elevation Type InsertionString7 TokenElevationTypeDefault (1)
Process Information: Creator Process ID InsertionString8 0x25b4
Creator Subject: Security ID InsertionString1 ITSS\intrust.service
Creator Subject: Account Name InsertionString2 intrust.service
Creator Subject: Account Domain InsertionString3 ITSS
Creator Subject: Logon ID InsertionString4 0x3764a
Target Subject: Security ID InsertionString10 NULL SID
Target Subject: Account Name InsertionString11 -
Target Subject: Account Domain InsertionString12 -
Target Subject: Logon ID InsertionString13 0x0
Process Information: Mandatory Label InsertionString15 Mandatory Label\High Mandatory Level
Process Information: Creator Process Name InsertionString14 C:\Program Files (x86)\Quest\InTrust\Server\InTrust\IndexRemoteLauncher.exe
Process Information: Process Command Line InsertionString9
Comments
You must be logged in to comment