Process Termination

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Applications being closed is a common thing on a computer but may signal unusual software being closed or give a timeline of events.

To view the process creation log, navigate to the Windows Event Viewer and the security tab. Next, sort or filter the log by Event ID 4689.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4689'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4689)]]"

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4689'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"Process Termination"
Disable Logging
auditpol /set /subcategory:"Process Termination" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"Process Termination" /Success:Enable /Failure:Enable
Language: Powershell
View Log Pile