Windows Event ID 4688: A new process has been created
Windows Security Event ID 4688 records process creation and is a foundational telemetry source for identifying command execution, suspicious parent-child relationships, and attacker tooling.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is generated when a process starts and Process Creation auditing is enabled. Full command-line capture additionally requires the relevant audit policy setting.
Key Fields
New Process Name
The executable path of the started process. Paths in user-writable directories, temporary folders, or unusual network locations merit additional context.
Process Command Line
The launch arguments. This is often the strongest indicator for encoded PowerShell, LOLBin abuse, suspicious download commands, and tool-specific behavior.
Creator Process Name / Process ID
The parent context and parent process identifier. Unusual parent-child pairs, such as Office applications launching script interpreters, are valuable detection signals.
Subject User Name
The security principal that created the process. This supports attribution and helps differentiate administrative automation from user-driven execution.
Common False Positives
- Endpoint management and software deployment systems create large volumes of command interpreters and installers.
- Developers and administrators may legitimately run scripting engines, compilers, and diagnostics.
- Some environments omit command-line capture, reducing the usefulness of basic process-name detections.
Related Events
MITRE ATT&CK Mapping
- T1059Command and Scripting Interpreter
- T1105Ingress Tool Transfer
Detection Notes
T1059/T1105 becomes concrete when New Process Name is powershell.exe, mshta.exe, or rundll32.exe and Command Line contains -EncodedCommand, -ExecutionPolicy Bypass, or a path under C:\\Users\\, C:\\ProgramData\\, or C:\\Temp\\. Office or browser Parent Process Name launching that child is a high-signal chain.
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("\\powershell.exe", "\\cmd.exe", "\\mshta.exe", "\\rundll32.exe")
| project TimeGenerated, Computer, Account, NewProcessName, CommandLine, ParentProcessName
| order by TimeGenerated descindex=wineventlog EventCode=4688
| search New_Process_Name IN ("*\\powershell.exe", "*\\cmd.exe", "*\\mshta.exe", "*\\rundll32.exe")
| table _time, host, SubjectUserName, New_Process_Name, Process_Command_Line, Creator_Process_NameNew Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: powershell.exe -NoProfile -EncodedCommand <redacted>
Creator Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Subject User Name: CORP\jsmith