SOC Event Lookup
Event ID 4688ProcessP1

Windows Event ID 4688: A new process has been created

Windows Security Event ID 4688 records process creation and is a foundational telemetry source for identifying command execution, suspicious parent-child relationships, and attacker tooling.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

The event is generated when a process starts and Process Creation auditing is enabled. Full command-line capture additionally requires the relevant audit policy setting.

Key Fields

New Process Name

The executable path of the started process. Paths in user-writable directories, temporary folders, or unusual network locations merit additional context.

Process Command Line

The launch arguments. This is often the strongest indicator for encoded PowerShell, LOLBin abuse, suspicious download commands, and tool-specific behavior.

Creator Process Name / Process ID

The parent context and parent process identifier. Unusual parent-child pairs, such as Office applications launching script interpreters, are valuable detection signals.

Subject User Name

The security principal that created the process. This supports attribution and helps differentiate administrative automation from user-driven execution.

Common False Positives

  • Endpoint management and software deployment systems create large volumes of command interpreters and installers.
  • Developers and administrators may legitimately run scripting engines, compilers, and diagnostics.
  • Some environments omit command-line capture, reducing the usefulness of basic process-name detections.

Related Events

MITRE ATT&CK Mapping

  • T1059Command and Scripting Interpreter
  • T1105Ingress Tool Transfer

Detection Notes

T1059/T1105 becomes concrete when New Process Name is powershell.exe, mshta.exe, or rundll32.exe and Command Line contains -EncodedCommand, -ExecutionPolicy Bypass, or a path under C:\\Users\\, C:\\ProgramData\\, or C:\\Temp\\. Office or browser Parent Process Name launching that child is a high-signal chain.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("\\powershell.exe", "\\cmd.exe", "\\mshta.exe", "\\rundll32.exe")
| project TimeGenerated, Computer, Account, NewProcessName, CommandLine, ParentProcessName
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4688
| search New_Process_Name IN ("*\\powershell.exe", "*\\cmd.exe", "*\\mshta.exe", "*\\rundll32.exe")
| table _time, host, SubjectUserName, New_Process_Name, Process_Command_Line, Creator_Process_Name
Sample Log
New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: powershell.exe -NoProfile -EncodedCommand <redacted>
Creator Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Subject User Name: CORP\jsmith

Source