Process Termination

Windows 10 Windows 7 Windows 8 Windows 8.1 Windows 11 Security Application Activity

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Applications being closed is a common thing on a computer but may signal unusual software being closed or give a timeline of events.

View Logs

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4689'} -MaxEvents 1 | Format-List

Check Logging Status

auditpol /get /subcategory:"Process Termination"

Disable Logging

auditpol /set /subcategory:"Process Termination" /Success:Disable /Failure:Disable

Enable Logging

auditpol /set /subcategory:"Process Termination" /Success:Enable /Failure:Enable

Language: Powershell

Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Recommended

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

To view the process creation log, navigate to the Windows Event Viewer and the security tab. Next, sort or filter the log by Event ID 4689.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4689'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Security "/q:*[System [(EventID=4689)]]"